Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hKWBNgRd7p.exe

Overview

General Information

Sample name:hKWBNgRd7p.exe
renamed because original name is a hash value
Original sample name:1f28042480cd4617e127e0a40f0bd958bacba132d5d41a78a1a002529ed7b6da.exe
Analysis ID:1537992
MD5:6733c81ba7e5e5a8bb1e10c032f5eeec
SHA1:92494390952fcdc36cdfb005feeebf1970cd805b
SHA256:1f28042480cd4617e127e0a40f0bd958bacba132d5d41a78a1a002529ed7b6da
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hKWBNgRd7p.exe (PID: 3192 cmdline: "C:\Users\user\Desktop\hKWBNgRd7p.exe" MD5: 6733C81BA7E5E5A8BB1E10C032F5EEEC)
    • Xslide.exe (PID: 6300 cmdline: "C:\Users\user\AppData\Roaming\Xslide.exe" MD5: 92D8E68510A37876B612FE5DE1204F19)
      • WerFault.exe (PID: 6516 cmdline: C:\Windows\system32\WerFault.exe -u -p 6300 -s 1656 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • BootstrapperV1.22.exe (PID: 6788 cmdline: "C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe" MD5: 2A4DCF20B82896BE94EB538260C5FB93)
      • conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2924 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 3812 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • WerFault.exe (PID: 5560 cmdline: C:\Windows\system32\WerFault.exe -u -p 6788 -s 2196 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Roaming\Xslide.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\Xslide.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Users\user\AppData\Roaming\Xslide.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xf3ad:$s6: VirtualBox
        • 0xf30b:$s8: Win32_ComputerSystem
        • 0x11409:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x114a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x115bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x109bb:$cnc4: POST / HTTP/1.1

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.2338478812.000000000307C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xf1ad:$s6: VirtualBox
            • 0xf10b:$s8: Win32_ComputerSystem
            • 0x11209:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x112a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x113bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x107bb:$cnc4: POST / HTTP/1.1
            00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x30a0d:$s6: VirtualBox
              • 0x43c4d:$s6: VirtualBox
              • 0x3096b:$s8: Win32_ComputerSystem
              • 0x43bab:$s8: Win32_ComputerSystem
              • 0x32a69:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x45ca9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x32b06:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x45d46:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x32c1b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x45e5b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x3201b:$cnc4: POST / HTTP/1.1
              • 0x4525b:$cnc4: POST / HTTP/1.1
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.hKWBNgRd7p.exe.33d58a0.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.hKWBNgRd7p.exe.33d58a0.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xd5ad:$s6: VirtualBox
                • 0xd50b:$s8: Win32_ComputerSystem
                • 0xf609:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xf6a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xf7bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xebbb:$cnc4: POST / HTTP/1.1
                0.2.hKWBNgRd7p.exe.33c2660.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.hKWBNgRd7p.exe.33c2660.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xd5ad:$s6: VirtualBox
                  • 0xd50b:$s8: Win32_ComputerSystem
                  • 0xf609:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xf6a6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xf7bb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xebbb:$cnc4: POST / HTTP/1.1
                  2.0.Xslide.exe.e20000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 8 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Network Command
                    Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe" , ParentImage: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe, ParentProcessId: 6788, ParentProcessName: BootstrapperV1.22.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 2924, ProcessName: cmd.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-20T01:29:07.284361+020028033053Unknown Traffic192.168.2.549707172.67.203.125443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: hKWBNgRd7p.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeReversingLabs: Detection: 87%
                    Multi AV Scanner detection for submitted file
                    Source: hKWBNgRd7p.exeReversingLabs: Detection: 60%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: hKWBNgRd7p.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: d8zyctl.localto.net
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: 3631
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: <123456789>
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: <Xwormmm>
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: XWorm V5.6
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: USB.exe
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: %AppData%
                    Source: 2.0.Xslide.exe.e20000.0.unpackString decryptor: FluxusV1.2
                    Source: hKWBNgRd7p.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49712 version: TLS 1.2
                    Source: hKWBNgRd7p.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Data.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Windows.Forms.pdbE source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA6005000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Numerics.pdbMZ@ source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: em.pdb source: BootstrapperV1.22.exe, 00000003.00000002.2303007371.000001EDBE789000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Data.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Xml.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA6005000.00000004.00000800.00020000.00000000.sdmp, WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Data.pdbH source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.pdb8n source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: mscorlib.pdb` source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: mscorlib.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Drawing.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Management.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb(U source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.0.Xslide.exe.e20000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Xslide.exe, type: DROPPED
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 172.67.203.125 172.67.203.125
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ip-api.com
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 172.67.203.125:443
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                    Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-fra2.roblox.com
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                    Source: Xslide.exe, 00000002.00000002.2338478812.0000000003132000.00000004.00000800.00020000.00000000.sdmp, Xslide.exe, 00000002.00000002.2338478812.0000000003119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: hKWBNgRd7p.exe, 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Xslide.exe, 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Xslide.exe, 00000002.00000002.2338478812.0000000003098000.00000004.00000800.00020000.00000000.sdmp, Xslide.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: BootstrapperV1.22.exe.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: Xslide.exe, 00000002.00000002.2338478812.0000000003119000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://300fa622.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EAD000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EBF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://300fa622.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                    Source: BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5DDA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                    Source: BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://getsolara.dev/api/endpoint.json
                    Source: BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D43000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://getsolara.dev/asset/discord.json
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw
                    Source: BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c
                    Source: BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EA9000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EA5000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                    Source: BootstrapperV1.22.exe.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49712 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 2.0.Xslide.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Xslide.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D823212_2_00007FF848D82321
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D816E92_2_00007FF848D816E9
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D860B62_2_00007FF848D860B6
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D86E622_2_00007FF848D86E62
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D8172B2_2_00007FF848D8172B
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D820ED2_2_00007FF848D820ED
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D808602_2_00007FF848D80860
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D810382_2_00007FF848D81038
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeCode function: 3_2_00007FF848DB6DB03_2_00007FF848DB6DB0
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeCode function: 3_2_00007FF848DC25403_2_00007FF848DC2540
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe EBBCB489171ABFCFCE56554DBAEACD22A15838391CBC7C756DB02995129DEF5A
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6300 -s 1656
                    Source: hKWBNgRd7p.exe, 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXslide.exe4 vs hKWBNgRd7p.exe
                    Source: hKWBNgRd7p.exeBinary or memory string: OriginalFilenameLifeForce.exe4 vs hKWBNgRd7p.exe
                    Source: hKWBNgRd7p.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 2.0.Xslide.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\Xslide.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: hKWBNgRd7p.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hKWBNgRd7p.exe, Zjs0fKbdgNIsOyk6EFccjn4jK9X0GINKleBVRNd0BbITspljWUmws5hUFo77fFTtsy47dhEKCrzImSMTMPgB.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Xslide.exe.0.dr, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Xslide.exe.0.dr, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Xslide.exe.0.dr, Mdi7VGquZFgtdTsHjR8vrdhAoJfGaCU6KeLtwJw90OtRcrbKMQQPXeQR7mjcE4Poo.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, Mdi7VGquZFgtdTsHjR8vrdhAoJfGaCU6KeLtwJw90OtRcrbKMQQPXeQR7mjcE4Poo.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, Mdi7VGquZFgtdTsHjR8vrdhAoJfGaCU6KeLtwJw90OtRcrbKMQQPXeQR7mjcE4Poo.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Xslide.exe.0.dr, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Xslide.exe.0.dr, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@13/14@4/5
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeFile created: C:\Users\user\AppData\Roaming\Xslide.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeMutant created: \Sessions\1\BaseNamedObjects\3ZqVHEMDL1E1Cp78y
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeMutant created: \Sessions\1\BaseNamedObjects\z3pOGLJ4iGaA67yv
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6300
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2296:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6788
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeFile created: C:\Users\user\AppData\Local\Temp\node-v18.16.0-x64.msiJump to behavior
                    Source: hKWBNgRd7p.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hKWBNgRd7p.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hKWBNgRd7p.exeReversingLabs: Detection: 60%
                    Source: unknownProcess created: C:\Users\user\Desktop\hKWBNgRd7p.exe "C:\Users\user\Desktop\hKWBNgRd7p.exe"
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess created: C:\Users\user\AppData\Roaming\Xslide.exe "C:\Users\user\AppData\Roaming\Xslide.exe"
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe"
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6300 -s 1656
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6788 -s 2196
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess created: C:\Users\user\AppData\Roaming\Xslide.exe "C:\Users\user\AppData\Roaming\Xslide.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: hKWBNgRd7p.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hKWBNgRd7p.exeStatic file information: File size 1073152 > 1048576
                    Source: hKWBNgRd7p.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Data.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Windows.Forms.pdbE source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA6005000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Numerics.pdbMZ@ source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: em.pdb source: BootstrapperV1.22.exe, 00000003.00000002.2303007371.000001EDBE789000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Data.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Xml.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA6005000.00000004.00000800.00020000.00000000.sdmp, WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Data.pdbH source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.pdb8n source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: mscorlib.pdb` source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: mscorlib.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Drawing.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Management.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb(U source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Numerics.pdb source: WER3730.tmp.dmp.13.dr
                    Source: Binary string: System.ni.pdb source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER3730.tmp.dmp.13.dr, WER1E87.tmp.dmp.10.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: Xslide.exe.0.dr, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.lmEtPOBJ3aOhSWpvbiTGHT8BbLYjRXI8chDpLmUPyokwiwgt,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.JphBdUGBvXxGnGy3hI3MMIprUmAVkk1jLZGi40tB5zOuzUxW,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.dYjWMFEfQbuBsOmQNUQNDAf1VAyTvaHjEnWs4nWAZ3sraxtF,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.jEEZj7Cueqz9SQAWpm1ahthIEJprf46KZbfwUcQzMQTGTsa5,Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.OYGFCrjRntVBawuCBNNGHRHGAZdyAGfpKOT7pH8XxwkGvF6puDEXWde8CwRfNwJnR()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Xslide.exe.0.dr, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{aK29vzLVdiwQvcTxrCpGgkXTbolccXYjQlp8WkwHgHpPnsezq29JRLmtMjLZKChHQazdyrVGwDvaa9GK[2],Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7._9wjO1nHGjMYXBXDAEoVsHQSHCzI1me1GRjFyB1xChb17nG63gle4FUyyngNWOQdAS(Convert.FromBase64String(aK29vzLVdiwQvcTxrCpGgkXTbolccXYjQlp8WkwHgHpPnsezq29JRLmtMjLZKChHQazdyrVGwDvaa9GK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.lmEtPOBJ3aOhSWpvbiTGHT8BbLYjRXI8chDpLmUPyokwiwgt,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.JphBdUGBvXxGnGy3hI3MMIprUmAVkk1jLZGi40tB5zOuzUxW,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.dYjWMFEfQbuBsOmQNUQNDAf1VAyTvaHjEnWs4nWAZ3sraxtF,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.jEEZj7Cueqz9SQAWpm1ahthIEJprf46KZbfwUcQzMQTGTsa5,Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.OYGFCrjRntVBawuCBNNGHRHGAZdyAGfpKOT7pH8XxwkGvF6puDEXWde8CwRfNwJnR()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{aK29vzLVdiwQvcTxrCpGgkXTbolccXYjQlp8WkwHgHpPnsezq29JRLmtMjLZKChHQazdyrVGwDvaa9GK[2],Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7._9wjO1nHGjMYXBXDAEoVsHQSHCzI1me1GRjFyB1xChb17nG63gle4FUyyngNWOQdAS(Convert.FromBase64String(aK29vzLVdiwQvcTxrCpGgkXTbolccXYjQlp8WkwHgHpPnsezq29JRLmtMjLZKChHQazdyrVGwDvaa9GK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.lmEtPOBJ3aOhSWpvbiTGHT8BbLYjRXI8chDpLmUPyokwiwgt,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.JphBdUGBvXxGnGy3hI3MMIprUmAVkk1jLZGi40tB5zOuzUxW,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.dYjWMFEfQbuBsOmQNUQNDAf1VAyTvaHjEnWs4nWAZ3sraxtF,RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.jEEZj7Cueqz9SQAWpm1ahthIEJprf46KZbfwUcQzMQTGTsa5,Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.OYGFCrjRntVBawuCBNNGHRHGAZdyAGfpKOT7pH8XxwkGvF6puDEXWde8CwRfNwJnR()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{aK29vzLVdiwQvcTxrCpGgkXTbolccXYjQlp8WkwHgHpPnsezq29JRLmtMjLZKChHQazdyrVGwDvaa9GK[2],Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7._9wjO1nHGjMYXBXDAEoVsHQSHCzI1me1GRjFyB1xChb17nG63gle4FUyyngNWOQdAS(Convert.FromBase64String(aK29vzLVdiwQvcTxrCpGgkXTbolccXYjQlp8WkwHgHpPnsezq29JRLmtMjLZKChHQazdyrVGwDvaa9GK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: Xslide.exe.0.dr, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: rXjLhf0YQQgxf62l8Vff7ppjV8qgIEOLN4sEiPWEq8QWlDb0BJPnTI0LadsKbNrjUSaEeLKVyTe4nBFF System.AppDomain.Load(byte[])
                    Source: Xslide.exe.0.dr, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: bohTqESagOBJazliXtCR6TEZuQKPOMtXtx1oY7GNOb5d38fdWNbQSpk6XTm0xqaS0XWlwKcgPUSYkkJV System.AppDomain.Load(byte[])
                    Source: Xslide.exe.0.dr, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: bohTqESagOBJazliXtCR6TEZuQKPOMtXtx1oY7GNOb5d38fdWNbQSpk6XTm0xqaS0XWlwKcgPUSYkkJV
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: rXjLhf0YQQgxf62l8Vff7ppjV8qgIEOLN4sEiPWEq8QWlDb0BJPnTI0LadsKbNrjUSaEeLKVyTe4nBFF System.AppDomain.Load(byte[])
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: bohTqESagOBJazliXtCR6TEZuQKPOMtXtx1oY7GNOb5d38fdWNbQSpk6XTm0xqaS0XWlwKcgPUSYkkJV System.AppDomain.Load(byte[])
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: bohTqESagOBJazliXtCR6TEZuQKPOMtXtx1oY7GNOb5d38fdWNbQSpk6XTm0xqaS0XWlwKcgPUSYkkJV
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: rXjLhf0YQQgxf62l8Vff7ppjV8qgIEOLN4sEiPWEq8QWlDb0BJPnTI0LadsKbNrjUSaEeLKVyTe4nBFF System.AppDomain.Load(byte[])
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: bohTqESagOBJazliXtCR6TEZuQKPOMtXtx1oY7GNOb5d38fdWNbQSpk6XTm0xqaS0XWlwKcgPUSYkkJV System.AppDomain.Load(byte[])
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.cs.Net Code: bohTqESagOBJazliXtCR6TEZuQKPOMtXtx1oY7GNOb5d38fdWNbQSpk6XTm0xqaS0XWlwKcgPUSYkkJV
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeCode function: 0_2_00007FF848DA00BD pushad ; iretd 0_2_00007FF848DA00C1
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D82B43 push ebx; ret 2_2_00007FF848D82B4A
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D800BD pushad ; iretd 2_2_00007FF848D800C1
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeCode function: 3_2_00007FF848DCD668 push ss; retf 3_2_00007FF848DCD837
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeCode function: 3_2_00007FF848DCA272 push ebx; retf 3_2_00007FF848DCA282
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeCode function: 3_2_00007FF848DB00BD pushad ; iretd 3_2_00007FF848DB00C1
                    Source: hKWBNgRd7p.exeStatic PE information: section name: .text entropy: 7.997522656043478
                    Source: hKWBNgRd7p.exe, Zjs0fKbdgNIsOyk6EFccjn4jK9X0GINKleBVRNd0BbITspljWUmws5hUFo77fFTtsy47dhEKCrzImSMTMPgB.csHigh entropy of concatenated method names: 'JRLjgwlsjHILdagFqTjqeH3pgo', 'ATa4xFG21nIwhuIRFrrroOIXwI', 'OOX2IRvocFNsNYBUkjSxy0QzgX', 'rL2JaTXfpGrRmv3H27gZQwgusJ', '_8qkIMarDEOp9LFyEaBnkfxOPnf', 'vFbYwL0EYiR48VvldhissnbBCB', 'AnbTcnFVba0lF0zkWIzjezhFnf', 'Gdt1xTLtDZ7fbvlZdi67rdi3oU', '_9xV11ylXne6DSc6uay1EhfJVzw', 'A0YgD0vHR3EO0eiFaPKcQjpNIM'
                    Source: hKWBNgRd7p.exe, p6431HujJf0bl4GV0AurAIkiPeLD4P50lBPMIsm333RKEm9OhufVyLUKKY1gnYpB45VoVsjKc6qkuMwzv7y5.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'O7fSMFkYqJe7UzHIdPvVOKYfnq', 'H5Q1vWIix2rQFBkr5RIyE5FtoC', 'cQz0YiK4MxDF0j1O1uXN5ohOu0', 'az9qn08130RP9yZQd3VHW3ZZ8n'
                    Source: Xslide.exe.0.dr, KPfLwAIzsIbGdj3JEsQ9YjvJxuaxhPjsXNsHc3DquLF6ytE0Rdvl54aOP827nMSkF.csHigh entropy of concatenated method names: 'MmWbYPWj5cEl0p7qyWHXnOXZ7BcBFkSBx1pdl6zhcYllNsZRpcEMm0nqy6ZKcHP6o', 'LMqfsb3pch1K7dIMFWnlXogAUfmqPFUaD7bgaRwKwh7LC3qhK8x7d2sHCqaVyx6VK', 'dua0id7MJlqLpitvM0mFpnkkCFcNrbShbjd65yFFHSNCRnYe68fNbMZgg0PqwQu1g', 'iFYrPK2LzwpQLBG1lo9KL6n51', 'wLTZMTFew8oI5Fg8dPEdrpnuS', 'vIhTnVDWpIPDiCn8yS7mpxsbi', 'uDxVFFkicBnlgVWBhUcRvtEko', 'QwkSYupBTPdGydvFxCZvHhTPO', 'xWSEP6oTMhu0bPoipQqq8APyA', 'zeFWQWRJgfiAk0bZhj6oCkJVK'
                    Source: Xslide.exe.0.dr, RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.csHigh entropy of concatenated method names: 'Ot7NQhv4W39dKYfqr9B4ODq3wNVZdSw6FrLvPsyM', 'Ri0kCflc5qtnYsgOAXge07uKtu1H86aoZxOliIwH', 'ZJi3427ZdRzpgHlApwzOUIbTQPQY40Dmhfh5eaSv', 'FDKM0uOHzPqMf2kTrlwNGcI4hlayvmr2A4XpLNAa'
                    Source: Xslide.exe.0.dr, fddosmBtc8wfG9nDxM9hlkCB07lHgiq28ZhHyJ46yrkt0FC2.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'OmDLrgDe9r8AbDbmK4cpthJsk2IcTvEeBlCESa9li1GRiG95uP1hwir290z6KPzc5GWzLxZB0Spn4TUrSTncmFnKXhnc1lBPj', 'j3Nj26NCJCyIaJHhFkitcnIFHYfrnQYeHYKx5BHI5aSSzEvxqnUMLaF06QPYxy6IHpXbRl5Lo7KTSZshtXSIeTuoIVozEnYm6', 'ItYTlDabga1ielzNPM0kjlrMIfwBfAAbyxWNhoqxFYXSy4S4o7oM5ZqI2Glsy5d45IWb9pWLax7phqwEOkKvz1bKOCozI7GWz', 'vUszCOfsnTHHh9NQOqRnvEfRadxkhWG4T7YHPE0jH6BHPo0CTSwaaFLXPLrYPGDxcjYoJwmIv9Q8znb5S0DZCMRJ343jkYmEE'
                    Source: Xslide.exe.0.dr, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csHigh entropy of concatenated method names: 'Q7rPYoffK7lTqxSmuTfVA5gEISi00YhI0ZCn1uuH4hWQvLFKZbEZUThOWtLpd4WTn', '_6sahcDJSCT2A9GNuSSXf5lev7Bclhe4wDVYgRZfrxnDjoSZK0DOdjtCb7Rg0ILvQz', 'B4w1fLpUGJ5udVPO4tN8GaQq61Y15IN93WViKbGh5EhScVn23eRTYbU8zRuVKMoHx', 'Nx00VNPyNTzkSnfl0zNF7ozpRnMoZTPpJRpCjArqkQv09XGM22jS0P8fvedoWAyyn', 'B27eZN2xP9wObRWJsSYl7eo6y0DxexoJ33O2rCWQkCnAA6ZQlGLHKlhTgEWYC7RuA', 'EnD2yAsLV2jVq44c7fvygmbTdNVJ6iXBNttXbAumcEOC4fmXagZxPpBgLvGZjMTa8', '_8dp29xvbIC7C5uTRQM6jFRfe4Qmi8jk8p0HIj1KHVBOvzNi6CRFTFJAmvwuTcdPlA', 'Msfy9vSS9qMCVyrRDzhj3TkFrMgfS8iRFdUhkj79PSTcj5NCTsEAEGlfBcvWKgSkM', 'XVgmMV5QMGhK08kQHtn7HJQGLTvq6RCqJk0lkqsszTqFwOTROG29B798djv96sHPK', '_522YlNSI9jnbESMJZC0FQFxLRADM1zBlz9Cl0ZGSDdVupRFSFRpq62CtRnLxDfXOz'
                    Source: Xslide.exe.0.dr, nAvyRCUMjVQzQVBbmgmNHE6sRw8obfKGr8IqvJQxOy1eoEhL.csHigh entropy of concatenated method names: '_5evwIJ9JNSufxJDBYGc9XuhXC2IDbuSoprutX9v5yxkjNpdS', 'BbWAb8pHRSeZ6DEsALXYLO9es5H7zZHdeAxRwAHN6afakixd', 'Av9B54T6cLwfStcfaxqoM2SCmJ6CepBH0OwPPYRfzMG26QTb', 'wXNed46CwzhdVadasMPL8GmPPxkYJRsdcA5xrZtZ3OFCHCi4', 'aWzQA0bD9j8loFGWt7cvA9EttcMot4yH7TcuFi88d2K2MTPT', 'nWYcnaNb9D2VkpMECvWbIyIMT0C0vDTwDrJ6OcRTRz0WXivm', 'oknI3kzQJVCDA8C1TrHaWQKgnnGf4trDXZDXgaMNZbyWaqfp', '_0TudUeM0mWclUxm5Eni9LtiV4D0Fg9cUDwup3n5HVfanIhfC', '_5QFZ4bfo7cbsyRr9VEvmrY3vqq8kLLViv1ZbQXRTwPUq4vf8', 'WBRqS5yTkocPUp8MhGq3LMsQPY8QwvFKONg945VnoU3aMy43'
                    Source: Xslide.exe.0.dr, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csHigh entropy of concatenated method names: 'dClIHm3viMBffAWVD0iDoI253vfD0vvcl9gbFInsOjGBjspt', 'NmeIuiMQfgJu694ltTBIJ5OHTBzJsvOHETGFBEMoPRVJBHWG', 'aihb7Szu0Sh6nFZUlheiIuRDqP56Ab8VfcpN0tzyI9e4OMPQ', 'DLqwUL6Lv6qFe0BEyaMa0QE0T4eNvWwsyEAs7EQphqiqx3ly', 'NKV4NfBviWaPrVnptroBruYGpq2PgP4tiPIlRlaFPpcivqTg', 'lj1JEfgzv7PBjzrLaTPoMqyx1oJTXWfrcyrh4oUMEyqjxPkp', 'hTA2Zvz7qYv3i7yEOOyctFIALZYtp77VVVw25KcRxcJV81XF', 'w4bJgc3iV2FG5fDyVvhNFnipAS5h6yx4frEoRNNOyz0F3oHP', 'JnTArbuiI3rcrNnXQCDrOog8EGY8Atu6feSe4IamdTAxQ0RU', '_52EyF5tYUdFPdkMrbmMIQWB18aby5z8mSASrqamboJenbgWu'
                    Source: Xslide.exe.0.dr, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.csHigh entropy of concatenated method names: 'icxC9cboy92YPV4410XsVbCUgjq38GUCSjogn5CB9w45lLdEFaqYDJeIKnUss8nIZsQRgM9TTcAjJbs0', 'rXjLhf0YQQgxf62l8Vff7ppjV8qgIEOLN4sEiPWEq8QWlDb0BJPnTI0LadsKbNrjUSaEeLKVyTe4nBFF', 'gAfEhSWlN2tXfDNBgWlIby8zulQCROHIdX6MBl9U8GtrBTE80ENb2nbnHXiZ51eQtJmrH0RycOnHM3DS', 'eIAiZKlxPLhTo4SlvCf9wSw7eJEnouLG0HMYDXyMSHUbhqRzij2bsHkcjDPXHUXvG16VJleB4qGdb03y', 'QKt1HFKOZfrCNMrzHn8k1j4ctnuFYyfxm1MiP8v4olOvOCQkFFQKs0YCLp7jTrGGFwS5UM3G0GWME6it', 'sFLrzi22mo7YuakB5UwlR4lqDU5mLLHWPEG5STw7X9yn4wncK8aLBz3Q24duoNTux7EcRQlDhnm2MFL8', 'iqMLNpatYe84gDIu6f1wVsARWRPBPS9ysMkHloMALXhUDHH8zRhLd9EaHCh99bbHeE4wfntmpVNcfDTq', '_1chbiGhFh5iZqabNSfTPmifiRd36IfdB9sNVW8dEIIT5YvLzvmZorv74gf4sSDyaDKMjfzNejvvfzUNI', '_29iEn9ALHo9Ygtu1NAnzEtU9w4osyr6SgILWSr7WIcHyfD6XkU4EYCxBT7Bk7QPTFBVWuuh4OoHteZkc', 'rP9vLvHy9XNJbrFXoUpjm9ysAvJkcHyHCXta14erOeuWF44cAadJOoXXDd92g8GW2zrhDRFF4CaNQVva'
                    Source: Xslide.exe.0.dr, OEVmGL0x2LpG4hthF5SAckm8es8cqweQybwrVe79hywK9zdbGxMWxnnqCl1hnEZaBbcRQpDsuovaAica.csHigh entropy of concatenated method names: 'MZhFwnjprJHeEkwZG0RDf3s9A3BvxD5fT9fQmujq0e1MY23uWkoUXNgnndIaZMTr9ieEx5Ggad4tLTCp', 'JzdqBCmQyDa1M9SSCW3NGXRvnTKWN6e2LYI5JfSHEAbjHIePlTHso1mSAOrIg5PQ1DoD2q54rrPzp1Fa', 'tLR84fdEF4wAEPrAR3HJFIAs9yo3fRTwdjThL3WYPwZM8z8kvi3QEx97t2xZwRMbHtdwnvno0ghsD5Jg', 'OuxiYtAqSZAaXjJHM8uU4Bf6atjipaO9wwSqwqALjlK7oNcRg9zc8KQz7KLFvd8vTahNyQNFOY8NQPTc', '_3hNX0ggOee4zEli84IcZ4Yo6UOPMqL07pjSf48WeCFAxnUFeaUAUwobK4Bd8LkXWelnhL1L9U490CfjU', 'BOLPzBKHMUHUomr6qJBK9r177os7vIDWl3Q5lB45z26YNLxonvLGXmQoaPhPbsSJvKHoTQHbry4OSipt', 'SM7HYzd4Bipk57g7s0ZNCprKLdhOgnaOpyZOfDZ7fLmY2JJNe5wSpLFQNgtvkUgih2Jw9hw00GhhE6wG', '_3GrLDgxGcwMehoPJQGf39m9Djy7pxfVqK1HOXq7eiDt5xn5z1Kha0vqPqUyryTjB6AAHNYM4JQJITccO', 'eQCs8k7C36ZvRy8tzOyWZInlPX4De4LsxLpyWBdEvGr8BbTMZjzDo5DcrYw60lVzLIQLI1g1DdbnFWON', 'FgodwpoA6seNoxR7wLb9aVI71UJyK20KMZzo03ufVVQgygMHDGs347Pmrr7x20AJpeOrfCdHjkH28XLw'
                    Source: Xslide.exe.0.dr, p5szZvEVMgBVxwLi3M66gA5Dwd93QiWsJnTYgKX2PIXOpi96yhVhWD4CZt4Mbon7W.csHigh entropy of concatenated method names: 'BGQaeLPkAPljsqeV2GCBIF0vseDTezCLrmtp35Ne2f1x87OwwsL0Wj3dz3u1L3P5t', 'dTEPry3GIGy2mWolIGyvhYrr2s3BT5L36y0671Fp3mAtbvmt31yKefpAgI4wZs9K6', '_3YJzTEiBIsBGnBCL4z8cKyt6Izo1FzqIEw5mkxuOpLVw05bIikBrtCET0SjtkKC0r', 'cTZrXJkMZOAhDn8SGb3uYeONakQgiE8uYQPhQAIm0N7Q3xQU1v2S7FvLp0S9Jium4', 'RUS5E7gNxHzl20NGFYlnUgOEQ', '_5y1tu5cDmNL1Bbj67XI3hNBPJ', 'XGhI4MmxV6WNceJl7uZeGYkIk', 'Zn0xul17RluxagJGG9dFyPQ6X', 'uGitQaoU3X86mvdSg8XN48MJs', 'D8hSbnQ2Fa8iRn853VdKVrLHR'
                    Source: Xslide.exe.0.dr, Mdi7VGquZFgtdTsHjR8vrdhAoJfGaCU6KeLtwJw90OtRcrbKMQQPXeQR7mjcE4Poo.csHigh entropy of concatenated method names: 'kPHLKclri1k1xUbzvaaRaMK2pHyRLUtYhQHRCJ8aeQazzaumnV2BSwpmFDJpFpmtI', 'UjcWrwA5427665nsxhi3hh0DP', 'FU3hCfZYSGLW9Mr5DyGJxWYZ7', 'Vg0ODBAfqBO3JwkHZ2t3h1Yat', 'eowP8vME9w0HhbXUBhhryTLV3'
                    Source: Xslide.exe.0.dr, cBbOXm61NjZIyX7a7VKkSDEpUuJHEVw7wgDBD2Viw8LC9HPkrVFnNZFn45vlVDlkUKDlE4p9cnLRiwvm.csHigh entropy of concatenated method names: 'VZwwtA09907ZgsN0TecXABs5Fe6WfskCjfDSUPuME9jVoh0kI0mlifGMroQOORVKSmsBhjRHaDYi4PNp', 'abbPVLiDqqLFlHYJfMa8hJ8gRvFHkET50KeXqNMv', 'Pg9J4tUTnhKYXJ0zItmcPm1HOLfrgWwsJBKSd5RY', 'u0Xgpx9kifTl15Ok1ueItNPVwE52B7Y6eGqm7TrP', 'jJTktJQGaaTsSjyqIWb9iFfhzgO0Dh7dVFQg1K34'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, KPfLwAIzsIbGdj3JEsQ9YjvJxuaxhPjsXNsHc3DquLF6ytE0Rdvl54aOP827nMSkF.csHigh entropy of concatenated method names: 'MmWbYPWj5cEl0p7qyWHXnOXZ7BcBFkSBx1pdl6zhcYllNsZRpcEMm0nqy6ZKcHP6o', 'LMqfsb3pch1K7dIMFWnlXogAUfmqPFUaD7bgaRwKwh7LC3qhK8x7d2sHCqaVyx6VK', 'dua0id7MJlqLpitvM0mFpnkkCFcNrbShbjd65yFFHSNCRnYe68fNbMZgg0PqwQu1g', 'iFYrPK2LzwpQLBG1lo9KL6n51', 'wLTZMTFew8oI5Fg8dPEdrpnuS', 'vIhTnVDWpIPDiCn8yS7mpxsbi', 'uDxVFFkicBnlgVWBhUcRvtEko', 'QwkSYupBTPdGydvFxCZvHhTPO', 'xWSEP6oTMhu0bPoipQqq8APyA', 'zeFWQWRJgfiAk0bZhj6oCkJVK'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.csHigh entropy of concatenated method names: 'Ot7NQhv4W39dKYfqr9B4ODq3wNVZdSw6FrLvPsyM', 'Ri0kCflc5qtnYsgOAXge07uKtu1H86aoZxOliIwH', 'ZJi3427ZdRzpgHlApwzOUIbTQPQY40Dmhfh5eaSv', 'FDKM0uOHzPqMf2kTrlwNGcI4hlayvmr2A4XpLNAa'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, fddosmBtc8wfG9nDxM9hlkCB07lHgiq28ZhHyJ46yrkt0FC2.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'OmDLrgDe9r8AbDbmK4cpthJsk2IcTvEeBlCESa9li1GRiG95uP1hwir290z6KPzc5GWzLxZB0Spn4TUrSTncmFnKXhnc1lBPj', 'j3Nj26NCJCyIaJHhFkitcnIFHYfrnQYeHYKx5BHI5aSSzEvxqnUMLaF06QPYxy6IHpXbRl5Lo7KTSZshtXSIeTuoIVozEnYm6', 'ItYTlDabga1ielzNPM0kjlrMIfwBfAAbyxWNhoqxFYXSy4S4o7oM5ZqI2Glsy5d45IWb9pWLax7phqwEOkKvz1bKOCozI7GWz', 'vUszCOfsnTHHh9NQOqRnvEfRadxkhWG4T7YHPE0jH6BHPo0CTSwaaFLXPLrYPGDxcjYoJwmIv9Q8znb5S0DZCMRJ343jkYmEE'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csHigh entropy of concatenated method names: 'Q7rPYoffK7lTqxSmuTfVA5gEISi00YhI0ZCn1uuH4hWQvLFKZbEZUThOWtLpd4WTn', '_6sahcDJSCT2A9GNuSSXf5lev7Bclhe4wDVYgRZfrxnDjoSZK0DOdjtCb7Rg0ILvQz', 'B4w1fLpUGJ5udVPO4tN8GaQq61Y15IN93WViKbGh5EhScVn23eRTYbU8zRuVKMoHx', 'Nx00VNPyNTzkSnfl0zNF7ozpRnMoZTPpJRpCjArqkQv09XGM22jS0P8fvedoWAyyn', 'B27eZN2xP9wObRWJsSYl7eo6y0DxexoJ33O2rCWQkCnAA6ZQlGLHKlhTgEWYC7RuA', 'EnD2yAsLV2jVq44c7fvygmbTdNVJ6iXBNttXbAumcEOC4fmXagZxPpBgLvGZjMTa8', '_8dp29xvbIC7C5uTRQM6jFRfe4Qmi8jk8p0HIj1KHVBOvzNi6CRFTFJAmvwuTcdPlA', 'Msfy9vSS9qMCVyrRDzhj3TkFrMgfS8iRFdUhkj79PSTcj5NCTsEAEGlfBcvWKgSkM', 'XVgmMV5QMGhK08kQHtn7HJQGLTvq6RCqJk0lkqsszTqFwOTROG29B798djv96sHPK', '_522YlNSI9jnbESMJZC0FQFxLRADM1zBlz9Cl0ZGSDdVupRFSFRpq62CtRnLxDfXOz'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, nAvyRCUMjVQzQVBbmgmNHE6sRw8obfKGr8IqvJQxOy1eoEhL.csHigh entropy of concatenated method names: '_5evwIJ9JNSufxJDBYGc9XuhXC2IDbuSoprutX9v5yxkjNpdS', 'BbWAb8pHRSeZ6DEsALXYLO9es5H7zZHdeAxRwAHN6afakixd', 'Av9B54T6cLwfStcfaxqoM2SCmJ6CepBH0OwPPYRfzMG26QTb', 'wXNed46CwzhdVadasMPL8GmPPxkYJRsdcA5xrZtZ3OFCHCi4', 'aWzQA0bD9j8loFGWt7cvA9EttcMot4yH7TcuFi88d2K2MTPT', 'nWYcnaNb9D2VkpMECvWbIyIMT0C0vDTwDrJ6OcRTRz0WXivm', 'oknI3kzQJVCDA8C1TrHaWQKgnnGf4trDXZDXgaMNZbyWaqfp', '_0TudUeM0mWclUxm5Eni9LtiV4D0Fg9cUDwup3n5HVfanIhfC', '_5QFZ4bfo7cbsyRr9VEvmrY3vqq8kLLViv1ZbQXRTwPUq4vf8', 'WBRqS5yTkocPUp8MhGq3LMsQPY8QwvFKONg945VnoU3aMy43'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csHigh entropy of concatenated method names: 'dClIHm3viMBffAWVD0iDoI253vfD0vvcl9gbFInsOjGBjspt', 'NmeIuiMQfgJu694ltTBIJ5OHTBzJsvOHETGFBEMoPRVJBHWG', 'aihb7Szu0Sh6nFZUlheiIuRDqP56Ab8VfcpN0tzyI9e4OMPQ', 'DLqwUL6Lv6qFe0BEyaMa0QE0T4eNvWwsyEAs7EQphqiqx3ly', 'NKV4NfBviWaPrVnptroBruYGpq2PgP4tiPIlRlaFPpcivqTg', 'lj1JEfgzv7PBjzrLaTPoMqyx1oJTXWfrcyrh4oUMEyqjxPkp', 'hTA2Zvz7qYv3i7yEOOyctFIALZYtp77VVVw25KcRxcJV81XF', 'w4bJgc3iV2FG5fDyVvhNFnipAS5h6yx4frEoRNNOyz0F3oHP', 'JnTArbuiI3rcrNnXQCDrOog8EGY8Atu6feSe4IamdTAxQ0RU', '_52EyF5tYUdFPdkMrbmMIQWB18aby5z8mSASrqamboJenbgWu'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.csHigh entropy of concatenated method names: 'icxC9cboy92YPV4410XsVbCUgjq38GUCSjogn5CB9w45lLdEFaqYDJeIKnUss8nIZsQRgM9TTcAjJbs0', 'rXjLhf0YQQgxf62l8Vff7ppjV8qgIEOLN4sEiPWEq8QWlDb0BJPnTI0LadsKbNrjUSaEeLKVyTe4nBFF', 'gAfEhSWlN2tXfDNBgWlIby8zulQCROHIdX6MBl9U8GtrBTE80ENb2nbnHXiZ51eQtJmrH0RycOnHM3DS', 'eIAiZKlxPLhTo4SlvCf9wSw7eJEnouLG0HMYDXyMSHUbhqRzij2bsHkcjDPXHUXvG16VJleB4qGdb03y', 'QKt1HFKOZfrCNMrzHn8k1j4ctnuFYyfxm1MiP8v4olOvOCQkFFQKs0YCLp7jTrGGFwS5UM3G0GWME6it', 'sFLrzi22mo7YuakB5UwlR4lqDU5mLLHWPEG5STw7X9yn4wncK8aLBz3Q24duoNTux7EcRQlDhnm2MFL8', 'iqMLNpatYe84gDIu6f1wVsARWRPBPS9ysMkHloMALXhUDHH8zRhLd9EaHCh99bbHeE4wfntmpVNcfDTq', '_1chbiGhFh5iZqabNSfTPmifiRd36IfdB9sNVW8dEIIT5YvLzvmZorv74gf4sSDyaDKMjfzNejvvfzUNI', '_29iEn9ALHo9Ygtu1NAnzEtU9w4osyr6SgILWSr7WIcHyfD6XkU4EYCxBT7Bk7QPTFBVWuuh4OoHteZkc', 'rP9vLvHy9XNJbrFXoUpjm9ysAvJkcHyHCXta14erOeuWF44cAadJOoXXDd92g8GW2zrhDRFF4CaNQVva'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, OEVmGL0x2LpG4hthF5SAckm8es8cqweQybwrVe79hywK9zdbGxMWxnnqCl1hnEZaBbcRQpDsuovaAica.csHigh entropy of concatenated method names: 'MZhFwnjprJHeEkwZG0RDf3s9A3BvxD5fT9fQmujq0e1MY23uWkoUXNgnndIaZMTr9ieEx5Ggad4tLTCp', 'JzdqBCmQyDa1M9SSCW3NGXRvnTKWN6e2LYI5JfSHEAbjHIePlTHso1mSAOrIg5PQ1DoD2q54rrPzp1Fa', 'tLR84fdEF4wAEPrAR3HJFIAs9yo3fRTwdjThL3WYPwZM8z8kvi3QEx97t2xZwRMbHtdwnvno0ghsD5Jg', 'OuxiYtAqSZAaXjJHM8uU4Bf6atjipaO9wwSqwqALjlK7oNcRg9zc8KQz7KLFvd8vTahNyQNFOY8NQPTc', '_3hNX0ggOee4zEli84IcZ4Yo6UOPMqL07pjSf48WeCFAxnUFeaUAUwobK4Bd8LkXWelnhL1L9U490CfjU', 'BOLPzBKHMUHUomr6qJBK9r177os7vIDWl3Q5lB45z26YNLxonvLGXmQoaPhPbsSJvKHoTQHbry4OSipt', 'SM7HYzd4Bipk57g7s0ZNCprKLdhOgnaOpyZOfDZ7fLmY2JJNe5wSpLFQNgtvkUgih2Jw9hw00GhhE6wG', '_3GrLDgxGcwMehoPJQGf39m9Djy7pxfVqK1HOXq7eiDt5xn5z1Kha0vqPqUyryTjB6AAHNYM4JQJITccO', 'eQCs8k7C36ZvRy8tzOyWZInlPX4De4LsxLpyWBdEvGr8BbTMZjzDo5DcrYw60lVzLIQLI1g1DdbnFWON', 'FgodwpoA6seNoxR7wLb9aVI71UJyK20KMZzo03ufVVQgygMHDGs347Pmrr7x20AJpeOrfCdHjkH28XLw'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, p5szZvEVMgBVxwLi3M66gA5Dwd93QiWsJnTYgKX2PIXOpi96yhVhWD4CZt4Mbon7W.csHigh entropy of concatenated method names: 'BGQaeLPkAPljsqeV2GCBIF0vseDTezCLrmtp35Ne2f1x87OwwsL0Wj3dz3u1L3P5t', 'dTEPry3GIGy2mWolIGyvhYrr2s3BT5L36y0671Fp3mAtbvmt31yKefpAgI4wZs9K6', '_3YJzTEiBIsBGnBCL4z8cKyt6Izo1FzqIEw5mkxuOpLVw05bIikBrtCET0SjtkKC0r', 'cTZrXJkMZOAhDn8SGb3uYeONakQgiE8uYQPhQAIm0N7Q3xQU1v2S7FvLp0S9Jium4', 'RUS5E7gNxHzl20NGFYlnUgOEQ', '_5y1tu5cDmNL1Bbj67XI3hNBPJ', 'XGhI4MmxV6WNceJl7uZeGYkIk', 'Zn0xul17RluxagJGG9dFyPQ6X', 'uGitQaoU3X86mvdSg8XN48MJs', 'D8hSbnQ2Fa8iRn853VdKVrLHR'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, Mdi7VGquZFgtdTsHjR8vrdhAoJfGaCU6KeLtwJw90OtRcrbKMQQPXeQR7mjcE4Poo.csHigh entropy of concatenated method names: 'kPHLKclri1k1xUbzvaaRaMK2pHyRLUtYhQHRCJ8aeQazzaumnV2BSwpmFDJpFpmtI', 'UjcWrwA5427665nsxhi3hh0DP', 'FU3hCfZYSGLW9Mr5DyGJxWYZ7', 'Vg0ODBAfqBO3JwkHZ2t3h1Yat', 'eowP8vME9w0HhbXUBhhryTLV3'
                    Source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, cBbOXm61NjZIyX7a7VKkSDEpUuJHEVw7wgDBD2Viw8LC9HPkrVFnNZFn45vlVDlkUKDlE4p9cnLRiwvm.csHigh entropy of concatenated method names: 'VZwwtA09907ZgsN0TecXABs5Fe6WfskCjfDSUPuME9jVoh0kI0mlifGMroQOORVKSmsBhjRHaDYi4PNp', 'abbPVLiDqqLFlHYJfMa8hJ8gRvFHkET50KeXqNMv', 'Pg9J4tUTnhKYXJ0zItmcPm1HOLfrgWwsJBKSd5RY', 'u0Xgpx9kifTl15Ok1ueItNPVwE52B7Y6eGqm7TrP', 'jJTktJQGaaTsSjyqIWb9iFfhzgO0Dh7dVFQg1K34'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, KPfLwAIzsIbGdj3JEsQ9YjvJxuaxhPjsXNsHc3DquLF6ytE0Rdvl54aOP827nMSkF.csHigh entropy of concatenated method names: 'MmWbYPWj5cEl0p7qyWHXnOXZ7BcBFkSBx1pdl6zhcYllNsZRpcEMm0nqy6ZKcHP6o', 'LMqfsb3pch1K7dIMFWnlXogAUfmqPFUaD7bgaRwKwh7LC3qhK8x7d2sHCqaVyx6VK', 'dua0id7MJlqLpitvM0mFpnkkCFcNrbShbjd65yFFHSNCRnYe68fNbMZgg0PqwQu1g', 'iFYrPK2LzwpQLBG1lo9KL6n51', 'wLTZMTFew8oI5Fg8dPEdrpnuS', 'vIhTnVDWpIPDiCn8yS7mpxsbi', 'uDxVFFkicBnlgVWBhUcRvtEko', 'QwkSYupBTPdGydvFxCZvHhTPO', 'xWSEP6oTMhu0bPoipQqq8APyA', 'zeFWQWRJgfiAk0bZhj6oCkJVK'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, RNMy9t3AXVFBM6HWSfll78HwkkI8DuwMtltHKx62F07H2mFG.csHigh entropy of concatenated method names: 'Ot7NQhv4W39dKYfqr9B4ODq3wNVZdSw6FrLvPsyM', 'Ri0kCflc5qtnYsgOAXge07uKtu1H86aoZxOliIwH', 'ZJi3427ZdRzpgHlApwzOUIbTQPQY40Dmhfh5eaSv', 'FDKM0uOHzPqMf2kTrlwNGcI4hlayvmr2A4XpLNAa'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, fddosmBtc8wfG9nDxM9hlkCB07lHgiq28ZhHyJ46yrkt0FC2.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'OmDLrgDe9r8AbDbmK4cpthJsk2IcTvEeBlCESa9li1GRiG95uP1hwir290z6KPzc5GWzLxZB0Spn4TUrSTncmFnKXhnc1lBPj', 'j3Nj26NCJCyIaJHhFkitcnIFHYfrnQYeHYKx5BHI5aSSzEvxqnUMLaF06QPYxy6IHpXbRl5Lo7KTSZshtXSIeTuoIVozEnYm6', 'ItYTlDabga1ielzNPM0kjlrMIfwBfAAbyxWNhoqxFYXSy4S4o7oM5ZqI2Glsy5d45IWb9pWLax7phqwEOkKvz1bKOCozI7GWz', 'vUszCOfsnTHHh9NQOqRnvEfRadxkhWG4T7YHPE0jH6BHPo0CTSwaaFLXPLrYPGDxcjYoJwmIv9Q8znb5S0DZCMRJ343jkYmEE'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, Bc0QwTPdUQXhZtuNkfsR0pTU3c6YIxCuyavI2Q98ohQuGSRtO85Mh8MnecQxTXxl7.csHigh entropy of concatenated method names: 'Q7rPYoffK7lTqxSmuTfVA5gEISi00YhI0ZCn1uuH4hWQvLFKZbEZUThOWtLpd4WTn', '_6sahcDJSCT2A9GNuSSXf5lev7Bclhe4wDVYgRZfrxnDjoSZK0DOdjtCb7Rg0ILvQz', 'B4w1fLpUGJ5udVPO4tN8GaQq61Y15IN93WViKbGh5EhScVn23eRTYbU8zRuVKMoHx', 'Nx00VNPyNTzkSnfl0zNF7ozpRnMoZTPpJRpCjArqkQv09XGM22jS0P8fvedoWAyyn', 'B27eZN2xP9wObRWJsSYl7eo6y0DxexoJ33O2rCWQkCnAA6ZQlGLHKlhTgEWYC7RuA', 'EnD2yAsLV2jVq44c7fvygmbTdNVJ6iXBNttXbAumcEOC4fmXagZxPpBgLvGZjMTa8', '_8dp29xvbIC7C5uTRQM6jFRfe4Qmi8jk8p0HIj1KHVBOvzNi6CRFTFJAmvwuTcdPlA', 'Msfy9vSS9qMCVyrRDzhj3TkFrMgfS8iRFdUhkj79PSTcj5NCTsEAEGlfBcvWKgSkM', 'XVgmMV5QMGhK08kQHtn7HJQGLTvq6RCqJk0lkqsszTqFwOTROG29B798djv96sHPK', '_522YlNSI9jnbESMJZC0FQFxLRADM1zBlz9Cl0ZGSDdVupRFSFRpq62CtRnLxDfXOz'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, nAvyRCUMjVQzQVBbmgmNHE6sRw8obfKGr8IqvJQxOy1eoEhL.csHigh entropy of concatenated method names: '_5evwIJ9JNSufxJDBYGc9XuhXC2IDbuSoprutX9v5yxkjNpdS', 'BbWAb8pHRSeZ6DEsALXYLO9es5H7zZHdeAxRwAHN6afakixd', 'Av9B54T6cLwfStcfaxqoM2SCmJ6CepBH0OwPPYRfzMG26QTb', 'wXNed46CwzhdVadasMPL8GmPPxkYJRsdcA5xrZtZ3OFCHCi4', 'aWzQA0bD9j8loFGWt7cvA9EttcMot4yH7TcuFi88d2K2MTPT', 'nWYcnaNb9D2VkpMECvWbIyIMT0C0vDTwDrJ6OcRTRz0WXivm', 'oknI3kzQJVCDA8C1TrHaWQKgnnGf4trDXZDXgaMNZbyWaqfp', '_0TudUeM0mWclUxm5Eni9LtiV4D0Fg9cUDwup3n5HVfanIhfC', '_5QFZ4bfo7cbsyRr9VEvmrY3vqq8kLLViv1ZbQXRTwPUq4vf8', 'WBRqS5yTkocPUp8MhGq3LMsQPY8QwvFKONg945VnoU3aMy43'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, poCMEeeHMX701BbuKRcsc3u4wCraRAhuKTYmy2IZvEArsmjd.csHigh entropy of concatenated method names: 'dClIHm3viMBffAWVD0iDoI253vfD0vvcl9gbFInsOjGBjspt', 'NmeIuiMQfgJu694ltTBIJ5OHTBzJsvOHETGFBEMoPRVJBHWG', 'aihb7Szu0Sh6nFZUlheiIuRDqP56Ab8VfcpN0tzyI9e4OMPQ', 'DLqwUL6Lv6qFe0BEyaMa0QE0T4eNvWwsyEAs7EQphqiqx3ly', 'NKV4NfBviWaPrVnptroBruYGpq2PgP4tiPIlRlaFPpcivqTg', 'lj1JEfgzv7PBjzrLaTPoMqyx1oJTXWfrcyrh4oUMEyqjxPkp', 'hTA2Zvz7qYv3i7yEOOyctFIALZYtp77VVVw25KcRxcJV81XF', 'w4bJgc3iV2FG5fDyVvhNFnipAS5h6yx4frEoRNNOyz0F3oHP', 'JnTArbuiI3rcrNnXQCDrOog8EGY8Atu6feSe4IamdTAxQ0RU', '_52EyF5tYUdFPdkMrbmMIQWB18aby5z8mSASrqamboJenbgWu'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, MC0x4huhOkPql0qrgP5i8cJqmW3Y219GGiUNqW144r4ir9SLIQHE5Xars84MFHZ2eGvYwgbKFDNT6XQY.csHigh entropy of concatenated method names: 'icxC9cboy92YPV4410XsVbCUgjq38GUCSjogn5CB9w45lLdEFaqYDJeIKnUss8nIZsQRgM9TTcAjJbs0', 'rXjLhf0YQQgxf62l8Vff7ppjV8qgIEOLN4sEiPWEq8QWlDb0BJPnTI0LadsKbNrjUSaEeLKVyTe4nBFF', 'gAfEhSWlN2tXfDNBgWlIby8zulQCROHIdX6MBl9U8GtrBTE80ENb2nbnHXiZ51eQtJmrH0RycOnHM3DS', 'eIAiZKlxPLhTo4SlvCf9wSw7eJEnouLG0HMYDXyMSHUbhqRzij2bsHkcjDPXHUXvG16VJleB4qGdb03y', 'QKt1HFKOZfrCNMrzHn8k1j4ctnuFYyfxm1MiP8v4olOvOCQkFFQKs0YCLp7jTrGGFwS5UM3G0GWME6it', 'sFLrzi22mo7YuakB5UwlR4lqDU5mLLHWPEG5STw7X9yn4wncK8aLBz3Q24duoNTux7EcRQlDhnm2MFL8', 'iqMLNpatYe84gDIu6f1wVsARWRPBPS9ysMkHloMALXhUDHH8zRhLd9EaHCh99bbHeE4wfntmpVNcfDTq', '_1chbiGhFh5iZqabNSfTPmifiRd36IfdB9sNVW8dEIIT5YvLzvmZorv74gf4sSDyaDKMjfzNejvvfzUNI', '_29iEn9ALHo9Ygtu1NAnzEtU9w4osyr6SgILWSr7WIcHyfD6XkU4EYCxBT7Bk7QPTFBVWuuh4OoHteZkc', 'rP9vLvHy9XNJbrFXoUpjm9ysAvJkcHyHCXta14erOeuWF44cAadJOoXXDd92g8GW2zrhDRFF4CaNQVva'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, OEVmGL0x2LpG4hthF5SAckm8es8cqweQybwrVe79hywK9zdbGxMWxnnqCl1hnEZaBbcRQpDsuovaAica.csHigh entropy of concatenated method names: 'MZhFwnjprJHeEkwZG0RDf3s9A3BvxD5fT9fQmujq0e1MY23uWkoUXNgnndIaZMTr9ieEx5Ggad4tLTCp', 'JzdqBCmQyDa1M9SSCW3NGXRvnTKWN6e2LYI5JfSHEAbjHIePlTHso1mSAOrIg5PQ1DoD2q54rrPzp1Fa', 'tLR84fdEF4wAEPrAR3HJFIAs9yo3fRTwdjThL3WYPwZM8z8kvi3QEx97t2xZwRMbHtdwnvno0ghsD5Jg', 'OuxiYtAqSZAaXjJHM8uU4Bf6atjipaO9wwSqwqALjlK7oNcRg9zc8KQz7KLFvd8vTahNyQNFOY8NQPTc', '_3hNX0ggOee4zEli84IcZ4Yo6UOPMqL07pjSf48WeCFAxnUFeaUAUwobK4Bd8LkXWelnhL1L9U490CfjU', 'BOLPzBKHMUHUomr6qJBK9r177os7vIDWl3Q5lB45z26YNLxonvLGXmQoaPhPbsSJvKHoTQHbry4OSipt', 'SM7HYzd4Bipk57g7s0ZNCprKLdhOgnaOpyZOfDZ7fLmY2JJNe5wSpLFQNgtvkUgih2Jw9hw00GhhE6wG', '_3GrLDgxGcwMehoPJQGf39m9Djy7pxfVqK1HOXq7eiDt5xn5z1Kha0vqPqUyryTjB6AAHNYM4JQJITccO', 'eQCs8k7C36ZvRy8tzOyWZInlPX4De4LsxLpyWBdEvGr8BbTMZjzDo5DcrYw60lVzLIQLI1g1DdbnFWON', 'FgodwpoA6seNoxR7wLb9aVI71UJyK20KMZzo03ufVVQgygMHDGs347Pmrr7x20AJpeOrfCdHjkH28XLw'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, p5szZvEVMgBVxwLi3M66gA5Dwd93QiWsJnTYgKX2PIXOpi96yhVhWD4CZt4Mbon7W.csHigh entropy of concatenated method names: 'BGQaeLPkAPljsqeV2GCBIF0vseDTezCLrmtp35Ne2f1x87OwwsL0Wj3dz3u1L3P5t', 'dTEPry3GIGy2mWolIGyvhYrr2s3BT5L36y0671Fp3mAtbvmt31yKefpAgI4wZs9K6', '_3YJzTEiBIsBGnBCL4z8cKyt6Izo1FzqIEw5mkxuOpLVw05bIikBrtCET0SjtkKC0r', 'cTZrXJkMZOAhDn8SGb3uYeONakQgiE8uYQPhQAIm0N7Q3xQU1v2S7FvLp0S9Jium4', 'RUS5E7gNxHzl20NGFYlnUgOEQ', '_5y1tu5cDmNL1Bbj67XI3hNBPJ', 'XGhI4MmxV6WNceJl7uZeGYkIk', 'Zn0xul17RluxagJGG9dFyPQ6X', 'uGitQaoU3X86mvdSg8XN48MJs', 'D8hSbnQ2Fa8iRn853VdKVrLHR'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, Mdi7VGquZFgtdTsHjR8vrdhAoJfGaCU6KeLtwJw90OtRcrbKMQQPXeQR7mjcE4Poo.csHigh entropy of concatenated method names: 'kPHLKclri1k1xUbzvaaRaMK2pHyRLUtYhQHRCJ8aeQazzaumnV2BSwpmFDJpFpmtI', 'UjcWrwA5427665nsxhi3hh0DP', 'FU3hCfZYSGLW9Mr5DyGJxWYZ7', 'Vg0ODBAfqBO3JwkHZ2t3h1Yat', 'eowP8vME9w0HhbXUBhhryTLV3'
                    Source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, cBbOXm61NjZIyX7a7VKkSDEpUuJHEVw7wgDBD2Viw8LC9HPkrVFnNZFn45vlVDlkUKDlE4p9cnLRiwvm.csHigh entropy of concatenated method names: 'VZwwtA09907ZgsN0TecXABs5Fe6WfskCjfDSUPuME9jVoh0kI0mlifGMroQOORVKSmsBhjRHaDYi4PNp', 'abbPVLiDqqLFlHYJfMa8hJ8gRvFHkET50KeXqNMv', 'Pg9J4tUTnhKYXJ0zItmcPm1HOLfrgWwsJBKSd5RY', 'u0Xgpx9kifTl15Ok1ueItNPVwE52B7Y6eGqm7TrP', 'jJTktJQGaaTsSjyqIWb9iFfhzgO0Dh7dVFQg1K34'

                    Persistence and Installation Behavior

                    barindex
                    Uses ipconfig to lookup or modify the Windows network settings
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeFile created: C:\Users\user\AppData\Roaming\Xslide.exeJump to dropped file
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeFile created: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Xslide.exe, 00000002.00000002.2338478812.000000000307C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: hKWBNgRd7p.exe, 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Xslide.exe, 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Xslide.exe.0.drBinary or memory string: SBIEDLL.DLLQNVK9J55BSBGXK8IMQKMU146RNAGMGM8SVGSIS0DPQVAI5TJW74P77T0E07LF6UQ3IMHDXVCYFQ9SDQ9KCQ1M4F98KIT7EJZM1UBAOFWJITFEDNSYTL1ITXYBTUQRQ0LQVOHSPJFO7ISYQXMPNI5HZQTQIJBSVQQKEE1QCHMBVD0SBJAKYERWZTTYL7PCVWKDBAFBAWEP3H2KQKLMXKDFXPXPFLS7SD5B1HEH3ZGDZEGNSX5XCCRVFQGGCVSVJX8O3V46P3EVEFTEZD2YGECVENKWRLPG3PQDOELMCH7L1N85HLJ6NBTPNL3I0ET7NFFVHH7DVURQ5QYOTXHUL8ALR5EAB0ISQLMUAID6NLNJBBULMPBPQICZTFHX0UCCPLN59NJF5HS8U6P0SIGBFTZTMFCZ4QRD4VVPHSWMB21HKXQQKHHYPIOAR61XVDTGCUSMZDQURQLBEIX8KQSLZB5LQZMS4NGJYCXDV82H6E5IV2IQXJP90V1KC4EAKDLWCTPAD34BLHCRL1JEOPLRLSJLINFO
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeMemory allocated: 17C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeMemory allocated: 1B3A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeMemory allocated: 1B070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeMemory allocated: 1EDA4390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeMemory allocated: 1EDBDD30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599874Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599745Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599640Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599421Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599310Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599200Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599091Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598639Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598421Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598093Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597871Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597764Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597627Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597254Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597139Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597028Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596921Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596374Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595608Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595280Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594952Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594818Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594675Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594132Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 593796Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeWindow / User API: threadDelayed 3244Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeWindow / User API: threadDelayed 6590Jump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exe TID: 1720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599745s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599640s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599531s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599421s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599310s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599200s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -599091s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598968s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598750s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598639s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598531s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598421s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598312s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598203s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -598093s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597984s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597871s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597764s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597627s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597515s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597254s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597139s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -597028s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596921s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596812s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596484s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596374s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596265s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -596046s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595718s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595608s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595499s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595390s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595171s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -595062s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -594952s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -594818s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -594675s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -594312s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -594132s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -594015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -593906s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe TID: 1988Thread sleep time: -593796s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599874Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599745Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599640Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599421Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599310Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599200Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 599091Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598639Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598421Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 598093Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597871Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597764Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597627Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597254Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597139Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 597028Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596921Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596374Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595608Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595499Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595280Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594952Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594818Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594675Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594132Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeThread delayed: delay time: 593796Jump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Xslide.exe, 00000002.00000002.2339102851.000000001BF40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: BootstrapperV1.22.exe, 00000003.00000002.2299707539.000001EDA4433000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: Xslide.exe.0.drBinary or memory string: vmware
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeCode function: 2_2_00007FF848D87A71 CheckRemoteDebuggerPresent,2_2_00007FF848D87A71
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: BootstrapperV1.22.exe PID: 6788, type: MEMORYSTR
                    Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess created: C:\Users\user\AppData\Roaming\Xslide.exe "C:\Users\user\AppData\Roaming\Xslide.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeQueries volume information: C:\Users\user\Desktop\hKWBNgRd7p.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Xslide.exeQueries volume information: C:\Users\user\AppData\Roaming\Xslide.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeQueries volume information: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hKWBNgRd7p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33d58a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33c2660.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.Xslide.exe.e20000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2338478812.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hKWBNgRd7p.exe PID: 3192, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Xslide.exe PID: 6300, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Xslide.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33d58a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33c2660.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.Xslide.exe.e20000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33c2660.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hKWBNgRd7p.exe.33d58a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2338478812.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hKWBNgRd7p.exe PID: 3192, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Xslide.exe PID: 6300, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Xslide.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Query Registry                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory431
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)51
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS51
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture3
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials11
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem23
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537992 Sample: hKWBNgRd7p.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 41 ip-api.com 2->41 43 www.nodejs.org 2->43 45 5 other IPs or domains 2->45 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 9 other signatures 2->61 9 hKWBNgRd7p.exe 4 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\Xslide.exe, PE32 9->35 dropped 37 C:\Users\user\...\BootstrapperV1.22.exe, PE32+ 9->37 dropped 39 C:\Users\user\AppData\...\hKWBNgRd7p.exe.log, CSV 9->39 dropped 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->65 13 Xslide.exe 14 2 9->13         started        17 BootstrapperV1.22.exe 14 8 9->17         started        signatures6 process7 dnsIp8 47 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 13->47 67 Antivirus detection for dropped file 13->67 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 73 2 other signatures 13->73 20 WerFault.exe 19 16 13->20         started        49 edge-term4-fra2.roblox.com 128.116.123.3, 443, 49708 ROBLOX-PRODUCTIONUS United States 17->49 51 www.nodejs.org 104.20.22.46, 443, 49712 CLOUDFLARENETUS United States 17->51 53 2 other IPs or domains 17->53 33 \Device\ConDrv, ISO-8859 17->33 dropped 22 cmd.exe 1 17->22         started        25 WerFault.exe 19 16 17->25         started        27 conhost.exe 17->27         started        file9 signatures10 process11 signatures12 63 Uses ipconfig to lookup or modify the Windows network settings 22->63 29 ipconfig.exe 1 22->29         started        31 conhost.exe 22->31         started        process13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hKWBNgRd7p.exe61%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    hKWBNgRd7p.exe100%AviraTR/Dropper.Gen
                    hKWBNgRd7p.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Xslide.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Xslide.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe63%ReversingLabsWin64.Trojan.Malgent
                    C:\Users\user\AppData\Roaming\Xslide.exe88%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    http://james.newtonking.com/projects/json0%URL Reputationsafe
                    https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    getsolara.dev
                    		172.67.203.125
                    		truefalse
                      		unknown
                      edge-term4-fra2.roblox.com
                      		128.116.123.3
                      		truefalse
                        		unknown
                        www.nodejs.org
                        		104.20.22.46
                        		truefalse
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truetrue
                            		unknown
                            clientsettings.roblox.com
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://getsolara.dev/asset/discord.jsonfalse
                                		unknown
                                https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                  		unknown
                                  https://getsolara.dev/api/endpoint.jsonfalse
                                    		unknown
                                    https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                      		unknown
                                      http://ip-api.com/line/?fields=hostingfalse
                                      • URL Reputation: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://127.0.0.1:6463BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.nodejs.orgBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://discord.comBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://ncs.roblox.com/uploadBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EA9000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://www.nodejs.orgBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://upx.sf.netAmcache.hve.10.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://james.newtonking.com/projects/jsonBootstrapperV1.22.exe.0.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://300fa622.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://getsolara.devBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://discord.com;http://127.0.0.1:6463/rpc?v=11BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drfalse
                                                        		unknown
                                                        https://aka.ms/vs/17/release/vc_redist.x64.exeBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drfalse
                                                          		unknown
                                                          https://getsolara.devBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5DDA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://127.0.0.1:64632BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://www.newtonsoft.com/jsonschemaBootstrapperV1.22.exe.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://ip-api.comXslide.exe, 00000002.00000002.2338478812.0000000003132000.00000004.00000800.00020000.00000000.sdmp, Xslide.exe, 00000002.00000002.2338478812.0000000003119000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://300fa622.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EAD000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EBF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://www.nuget.org/packages/Newtonsoft.Json.BsonBootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/rawBootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe.0.drfalse
                                                                  		unknown
                                                                  http://127.0.0.1:6463/rpc?v=1BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5D31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXslide.exe, 00000002.00000002.2338478812.0000000003119000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5DCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://clientsettings.roblox.comBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msiBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5EA5000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://pastebin.com/raw/pjseRvyKBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5E47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://clientsettings.roblox.comBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://edge-term4-fra2.roblox.comBootstrapperV1.22.exe, 00000003.00000002.2300270818.000001EDA5ECF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.cBootstrapperV1.22.exe, 00000003.00000000.2045208687.000001EDA4092000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.22.exe.0.drfalse
                                                                                		unknown

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                172.67.203.125
                                                                                		getsolara.devUnited States
                                                                                		13335CLOUDFLARENETUSfalse
                                                                                208.95.112.1
                                                                                		ip-api.comUnited States
                                                                                		53334TUT-ASUStrue
                                                                                128.116.123.3
                                                                                		edge-term4-fra2.roblox.comUnited States
                                                                                		22697ROBLOX-PRODUCTIONUSfalse
                                                                                104.20.22.46
                                                                                		www.nodejs.orgUnited States
                                                                                		13335CLOUDFLARENETUSfalse

                                                                                Private

                                                                                IP
                                                                                127.0.0.1

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1537992
                                                                                Start date and time:2024-10-20 01:28:09 +02:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 6m 22s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:16
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:hKWBNgRd7p.exe
                                                                                renamed because original name is a hash value
                                                                                Original Sample Name:1f28042480cd4617e127e0a40f0bd958bacba132d5d41a78a1a002529ed7b6da.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.evad.winEXE@13/14@4/5
                                                                                EGA Information:
                                                                                • Successful, ratio: 33.3%
                                                                                HCA Information:
                                                                                • Successful, ratio: 95%
                                                                                • Number of executed functions: 164
                                                                                • Number of non-executed functions: 4
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.89.179.12
                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target BootstrapperV1.22.exe, PID 6788 because it is empty
                                                                                • Execution Graph export aborted for target hKWBNgRd7p.exe, PID 3192 because it is empty
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                • VT rate limit hit for: hKWBNgRd7p.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                19:29:05API Interceptor56x Sleep call for process: BootstrapperV1.22.exe modified
                                                                                19:29:26API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                172.67.203.125SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                    BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                          SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                            208.95.112.1WlD1K1Oxbl.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • ip-api.com/line/?fields=hosting
                                                                                            kjhP2r4VIP.exeGet hashmaliciousXWormBrowse
                                                                                            • ip-api.com/line/?fields=hosting
                                                                                            fatality.exeGet hashmaliciousXWormBrowse
                                                                                            • ip-api.com/line/?fields=hosting
                                                                                            aimware.exeGet hashmaliciousXWormBrowse
                                                                                            • ip-api.com/line/?fields=hosting
                                                                                            SecuriteInfo.com.Win64.Evo-gen.14681.29745.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                            • ip-api.com/json/?fields=225545
                                                                                            sd4vrPkE02.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • ip-api.com/line/?fields=hosting
                                                                                            lsAXde4em3.exeGet hashmaliciousQuasarBrowse
                                                                                            • ip-api.com/json/
                                                                                            SecuriteInfo.com.Win32.DropperX-gen.7855.32539.exeGet hashmaliciousXehook StealerBrowse
                                                                                            • ip-api.com/json/?fields=11827
                                                                                            SecuriteInfo.com.Win64.Malware-gen.32485.11504.exeGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                            • ip-api.com/json/?fields=8195
                                                                                            NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                            • ip-api.com/json

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            www.nodejs.org8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                            • 104.20.23.46
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.22.46
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.22.46
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.23.46
                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.23.46
                                                                                            BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            • 104.20.23.46
                                                                                            RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • 104.20.22.46
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.23.46
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.23.46
                                                                                            SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.20.22.46
                                                                                            getsolara.devSecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                            • 104.21.93.27
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.93.27
                                                                                            ip-api.comWlD1K1Oxbl.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • 208.95.112.1
                                                                                            kjhP2r4VIP.exeGet hashmaliciousXWormBrowse
                                                                                            • 208.95.112.1
                                                                                            fatality.exeGet hashmaliciousXWormBrowse
                                                                                            • 208.95.112.1
                                                                                            aimware.exeGet hashmaliciousXWormBrowse
                                                                                            • 208.95.112.1
                                                                                            SecuriteInfo.com.Win64.Evo-gen.14681.29745.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                            • 208.95.112.1
                                                                                            sd4vrPkE02.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • 208.95.112.1
                                                                                            SecuriteInfo.com.Win32.DropperX-gen.7855.32539.exeGet hashmaliciousXehook StealerBrowse
                                                                                            • 208.95.112.1
                                                                                            SecuriteInfo.com.Win64.Malware-gen.32485.11504.exeGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                            • 208.95.112.1
                                                                                            NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                            • 208.95.112.1
                                                                                            edge-term4-fra2.roblox.comBootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            • 128.116.123.4
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.123.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.123.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.123.4
                                                                                            Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.123.3
                                                                                            SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                                                                                            • 128.116.123.3

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            ROBLOX-PRODUCTIONUS8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                            • 128.116.44.3
                                                                                            https://www.roblox.sc/users/294681399108/profileGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.122.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.44.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.44.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.44.4
                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.119.3
                                                                                            BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            • 128.116.123.4
                                                                                            RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • 128.116.21.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.123.3
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                            • 128.116.123.3
                                                                                            TUT-ASUSWlD1K1Oxbl.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • 208.95.112.1
                                                                                            kjhP2r4VIP.exeGet hashmaliciousXWormBrowse
                                                                                            • 208.95.112.1
                                                                                            fatality.exeGet hashmaliciousXWormBrowse
                                                                                            • 208.95.112.1
                                                                                            aimware.exeGet hashmaliciousXWormBrowse
                                                                                            • 208.95.112.1
                                                                                            SecuriteInfo.com.Win64.Evo-gen.14681.29745.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                            • 208.95.112.1
                                                                                            sd4vrPkE02.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • 208.95.112.1
                                                                                            lsAXde4em3.exeGet hashmaliciousQuasarBrowse
                                                                                            • 208.95.112.1
                                                                                            SecuriteInfo.com.Win32.DropperX-gen.7855.32539.exeGet hashmaliciousXehook StealerBrowse
                                                                                            • 208.95.112.1
                                                                                            Reader_PDF_2024.exeGet hashmaliciousUnknownBrowse
                                                                                            • 208.95.112.1
                                                                                            Reader_PDF_2024.exeGet hashmaliciousUnknownBrowse
                                                                                            • 208.95.112.1
                                                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 172.67.206.204
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.9093.5876.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.80.99
                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.206.204
                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.206.204
                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.21.28.222
                                                                                            msvcp110.dllGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.147.188
                                                                                            https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14Get hashmaliciousPhisherBrowse
                                                                                            • 104.19.229.21
                                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
                                                                                            • 104.19.229.21
                                                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 172.67.206.204
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.9093.5876.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.80.99
                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.206.204
                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.206.204
                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.21.28.222
                                                                                            msvcp110.dllGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.147.188
                                                                                            https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14Get hashmaliciousPhisherBrowse
                                                                                            • 104.19.229.21
                                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
                                                                                            • 104.19.229.21

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0eN2ER4ZENF1.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            N2ER4ZENF1.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            SecuriteInfo.com.Win64.Evo-gen.14681.29745.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.18133.14409.exeGet hashmaliciousDiscord RatBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            cAHHSnHDJS.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            cAHHSnHDJS.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            01oTkKQVSW.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            WeLyNA2xUj.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46
                                                                                            01oTkKQVSW.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.203.125
                                                                                            • 128.116.123.3
                                                                                            • 104.20.22.46

                                                                                            Dropped Files

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            C:\Users\user\AppData\Roaming\BootstrapperV1.22.exeSecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                              8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_8a67a53847f1550bba47f83cc7f50ab9fda1622_30d98452_0f5c26c4-cbff-4a42-8fab-aff46105e22e\Report.wer

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.2672847124968338
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:w1LKir0bU9+dQda+xejol2/fsLzuiFuZ24lO8U:WLK9bG+dQda+l23sLzuiFuY4lO8U
                                                                                                  MD5:7447A77260DBA89716D2E5D60FAE6B0A
                                                                                                  SHA1:158CE9039C5B5C45657DB56DF628B216D312B0E6
                                                                                                  SHA-256:B85B26E1715EC8132B8015D78E24B6A5C679B49387E6E11D4F9B821CBCE71AF7
                                                                                                  SHA-512:27D81C895821DA4429AF5B6C02737DB77E7D95441F4FA90015F0047F74EA43CDD74511E6A2113240EE13D01439D6FC0E5111249C1357419C2951A5A0F577D844
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.8.5.4.1.5.2.4.4.2.5.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.8.5.4.1.5.3.3.6.4.3.8.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.5.c.2.6.c.4.-.c.b.f.f.-.4.a.4.2.-.8.f.a.b.-.a.f.f.4.6.1.0.5.e.2.2.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.f.b.9.e.8.1.-.c.1.4.c.-.4.7.2.0.-.8.6.c.7.-.9.9.6.7.d.7.1.6.9.7.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r.V.1...2.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.4.-.0.0.0.1.-.0.0.1.4.-.e.3.a.c.-.a.6.a.d.7.e.2.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.2.1.f.2.3.2.c.2.f.d.8.1.3.2.f.8.6.7.7.e.5.3.2.5.8.5.6.2.a.d.9.8.b.4.5.

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Xslide.exe_4a889d424fec33ff782fa8e8e38fe91422c0994e_0ad26d8a_e8e540ef-9362-4a48-8ec7-23b807958b0d\Report.wer

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.2024651184676107
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sWoxhE7+K0NxMQaWj8iyU1lxPzuiFuZ24lO8xJ:+xhE7QNxMQa48iFxPzuiFuY4lO8x
                                                                                                  MD5:CECDD8A68DAEBC5B2ACFFEC586A25627
                                                                                                  SHA1:B4ABD8F117AA8BA6F051B191097775862878F699
                                                                                                  SHA-256:D3CA626302986A097759626D855427C12825A7611A901BB2F042ACCC5DD1123B
                                                                                                  SHA-512:A7EA4D9E28606BD7CFBCF45BE08C92DC6CC5EAD577AA09A42036E7E95EB360A18DE42BC9904DB08673D631D56D4AEC3185033823910CC50E084F692C8951A800
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.8.5.4.1.4.6.1.2.8.1.6.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.8.5.4.1.4.6.7.8.4.4.1.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.e.5.4.0.e.f.-.9.3.6.2.-.4.a.4.8.-.8.e.c.7.-.2.3.b.8.0.7.9.5.8.b.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.2.9.4.1.3.1.-.e.e.5.f.-.4.1.9.e.-.a.8.f.1.-.c.4.7.b.7.b.2.d.8.0.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X.s.l.i.d.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.s.l.i.d.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.9.c.-.0.0.0.1.-.0.0.1.4.-.1.e.1.f.-.9.6.a.d.7.e.2.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.4.c.7.6.d.e.6.f.e.a.6.5.4.9.6.a.e.0.6.1.0.6.1.7.b.1.7.6.f.9.6.0.0.0.0.0.0.0.0.!.0.0.0.0.3.e.f.7.1.a.8.4.4.1.a.4.1.6.c.1.0.8.6.f.f.7.2.2.9.0.9.1.d.b.f.e.f.5.d.c.b.d.3.c.!.X.s.l.i.d.e...e.x.e.....T.a.r.g.e.

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E87.tmp.dmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 16 streams, Sat Oct 19 23:29:06 2024, 0x1205a4 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):441718
                                                                                                  Entropy (8bit):3.104125022136241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:O+94amM1CCqr63+vk68+lF7Mx4OP29K8bD6cSSggR/VzAYlRscqjRlb:19dtqu3Qk6SxfjLSLR/5AYnsX3
                                                                                                  MD5:F4079C2439A4F27836C271CBB464663C
                                                                                                  SHA1:682393FDE17212EEBAF25E952D6E6F82028B13D7
                                                                                                  SHA-256:960FD8EB9F3683C80F3FEE539C794557E159EDC39C9E27CF669D03D17B3026E5
                                                                                                  SHA-512:4D7BFB96065B5EC4B6A828364438C6B29ABAD2E06EDC9DADFBB48F49E8498D6B784BC734CC0DFE7304D15574B19F7F3EE18B094434374B87DEE4795C2B469401
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:MDMP..a..... ........@.g........................d...........<...((..........d(.......7..P...........l.......8...........T............@...|..........|6..........h8..............................................................................eJ.......9......Lw......................T............@.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER205D.tmp.WERInternalMetadata.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6704
                                                                                                  Entropy (8bit):3.7161158102003484
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:R6l7wVeJ7nuzejYZ0WtpDr89bjEFfRKABm:R6lXJSGYqWEjmfRK7
                                                                                                  MD5:A43AB5E8B3BF7B7B5A082B3B5B81B511
                                                                                                  SHA1:BD588CEA31760414D79CC2CE91074D350E5CC655
                                                                                                  SHA-256:F7AE7B40DE9A29BD89A3D9E8CF61875504CA8B7F23015B0394EEA7E653729668
                                                                                                  SHA-512:FD9775BD0C25FD6E55CEC04BD5B7C76127520A81759181BF99F7698796BDAE9143DA68585CB5CB53A1C69139B7DDBEF1C6E0DE2830B713632CBD1ECC385FFE8D
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.0.0.<./.P.i.

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER207D.tmp.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4731
                                                                                                  Entropy (8bit):4.417057666632292
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwWl8zstJg771I9v172WpW8VYXYm8M4JcookPFDyq8vKokkzPlqU5z4z2Id:uIjfHI7Sr7VLJtWj1xGxd
                                                                                                  MD5:8B2799D07B482FD8D3990F67B2854AE2
                                                                                                  SHA1:7944F134AD49E85DBD8E2352F0E99FBFC469A15A
                                                                                                  SHA-256:8EA4BF231FB9306FD17F824EE77CF54C099DD5CDA102A9DCBFE8F17CC84E6078
                                                                                                  SHA-512:7573F7FE4C198732195F0686E183467070FE44C22103D50B7ABE198D5FA6B2CFEA67D5535E96A229A0B66DDD501AC0A7E682B03BE86C2AB5F3FC31F2FF6C270E
                                                                                                  Malicious:false
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="550951" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3730.tmp.dmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 16 streams, Sat Oct 19 23:29:12 2024, 0x1205a4 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):607702
                                                                                                  Entropy (8bit):3.2892294969747047
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:H6WkvQVqX0E8mN5B3QPC/6Xx2QYb2eQRIGLxmarA5:3qX0WQK/6Xx2MIGLx
                                                                                                  MD5:22C38061E986D7B23C3BE2CB268D5673
                                                                                                  SHA1:75E782994A5D6DC55BD7D0BF5863E50EC59624B9
                                                                                                  SHA-256:EDD30FDC8141BDA364BCD060B33B5A7C216AAC1C8393FE9F187A7885EB2E26BD
                                                                                                  SHA-512:683D12B49B524A4227EE0D4EF27C78B7BDBA87D5B0511511F4E3E8C8BC8BEB414355B1FA57E8D3D887428DFD77C9BF5DF572F0D6F6A940FED26CECCB1A27BD2B
                                                                                                  Malicious:false
                                                                                                  Preview:MDMP..a..... ........@.g............4...........<...T.......<....)...........)......tT..............l.......8...........T............U..&............E...........G..............................................................................eJ......@H......Lw......................T............@.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER39C1.tmp.WERInternalMetadata.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6820
                                                                                                  Entropy (8bit):3.7161674190171383
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:R6l7wVeJsJZcp1zYZE8npr889bfpEfGVm:R6lXJiZcp1zYGofqfF
                                                                                                  MD5:48D7FC8CEC11BC2171E1B5300D46F557
                                                                                                  SHA1:1780B2800B6F2B3F7E3EBAB30EA3C6F92E46A37D
                                                                                                  SHA-256:73FC0C5B69B5343BED20CFCDD3C6458F8A96E89A8E28635918DAD24F42026BE4
                                                                                                  SHA-512:1C92071B2749DBB427DE642999E73A2FDDBA21DD8E6952CF1F6312A163DFBBDC42980C909457C293D0CB157C6E47BC385C9E94925BE3F28C1E3AEEC272F9465A
                                                                                                  Malicious:false
                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.8.<./.P.i.

                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A00.tmp.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4834
                                                                                                  Entropy (8bit):4.465254379965041
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwWl8zstJg771I9v172WpW8VY3Ym8M4JQDCT/FiLHXyq8vaCTOj1yioimd:uIjfHI7Sr7VnJgjXW6j1vdmd
                                                                                                  MD5:9685BA504103C34794A471172B522951
                                                                                                  SHA1:7AA84CD9BE026ACEBF1EF34E612AAE823B20C534
                                                                                                  SHA-256:3D231654E88045666C3F2301C0176407897F66FCD1CF755FAE942DB42BCD1574
                                                                                                  SHA-512:0B05F126AE8DACAD3E55F20B9C4A956CD30A348FDF080567DEAF50C770F4E21A84669C786CCB1220CE6C3CF480BAC19966ED6D6F2E8C006BEC5585DC0B2F44C8
                                                                                                  Malicious:false
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="550951" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hKWBNgRd7p.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\hKWBNgRd7p.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):654
                                                                                                  Entropy (8bit):5.380476433908377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                  Malicious:true
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\hKWBNgRd7p.exe
                                                                                                  File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):819200
                                                                                                  Entropy (8bit):5.598226996524291
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:t0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z:O5vgHWjTwAlocaKjyyItHDz
                                                                                                  MD5:2A4DCF20B82896BE94EB538260C5FB93
                                                                                                  SHA1:21F232C2FD8132F8677E53258562AD98B455E679
                                                                                                  SHA-256:EBBCB489171ABFCFCE56554DBAEACD22A15838391CBC7C756DB02995129DEF5A
                                                                                                  SHA-512:4F1164B2312FB94B7030D6EB6AA9F3502912FFA33505F156443570FC964BFD3BB21DED3CF84092054E07346D2DCE83A0907BA33F4BA39AD3FE7A78E836EFE288
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 63%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe, Detection: malicious, Browse
                                                                                                  • Filename: 8svMXMXNRn.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe, Detection: malicious, Browse
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Ll.g.........."......v............... ....@...... ....................................`.................................................D...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH........................................................................0..R.......(....:....*r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&*.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o......*.......8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(......*.....(....~....%:....&~......*...s....%.....(...+*...0..l.........(....r...p(....(....r\..p.

                                                                                                  C:\Users\user\AppData\Roaming\Xslide.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\hKWBNgRd7p.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):78336
                                                                                                  Entropy (8bit):6.0333874797452385
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:GCdzcxm6QyOwIQGBsz81r5bYAA7Ld06jEHcOWZuLvRs:GCdzUCLnR5bYnvdOuuVs
                                                                                                  MD5:92D8E68510A37876B612FE5DE1204F19
                                                                                                  SHA1:3EF71A8441A416C1086FF7229091DBFEF5DCBD3C
                                                                                                  SHA-256:71DE9697D664C57D1965AE1D6B2632DDA04A17B36CAA56EC2FA5F5F7DD52A061
                                                                                                  SHA-512:05DA6C91869A742838E27CDBEDD0B833C86DF3D3FF4BD365873F476CC9C00958A191B82DB4973A79CB342D21449ECCB25DC481436FAC043AD3D921A5E019750B
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Xslide.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Xslide.exe, Author: Joe Security
                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Xslide.exe, Author: ditekSHen
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 88%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g.................(..........>F... ...`....@.. ....................................@..................................E..S....`............................................................................... ............... ..H............text...D&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B................ F......H........a..........&.....................................................(....*.r...p*. 9...*..(....*.r...p*. E ..*.s.........s.........s.........s.........*.rK..p*. ..e.*.r...p*. ...*.r...p*. E/..*.r...p*. .Kl.*.r_..p*. V...*..((...*.r...p*. {...*.rl..p*. ~.H.*.(*...-.(+...,.+.(,...,.+.()...,.+.((...,..(T...*"(....+.*&(....&+.*.+5sf... .... .'..og...(,...~....-.(\...(N...~....oh...&.-.*.r...p*. X...*.r...p*. ....*.rb..p*. ..'.*.r...p*. ..9.*.r...p*. .w..*.rX..p*. .(T.*.r..

                                                                                                  C:\Users\user\Desktop\DISCORD

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):103
                                                                                                  Entropy (8bit):4.081427527984575
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                  MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                  SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                  SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                  SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                  Malicious:false
                                                                                                  Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1835008
                                                                                                  Entropy (8bit):4.424807849297673
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:sSvfpi6ceLP/9skLmb0OTfWSPHaJG8nAgeMZMMhA2fX4WABlEnNS0uhiTw:XvloTfW+EZMM6DFy003w
                                                                                                  MD5:B084C1793CF351439D7975B06923966C
                                                                                                  SHA1:9856C339AED36FF9612C50BFC7BCBA1E188E31E7
                                                                                                  SHA-256:57F0070039EA919DFAB87BCD2221DCF61CA57ECE9684DD8D4F02976A7663FA9B
                                                                                                  SHA-512:302D0DD2A28485663F90E97218F258E7522C45CC738686EAF71729FA05F2F9922B12543D938CB800000BA1FADFFB05F4717A532BD2B389209BA3270D1E8E75DA
                                                                                                  Malicious:false
                                                                                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ9..~".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  \Device\ConDrv

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):571
                                                                                                  Entropy (8bit):4.9398118662542965
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
                                                                                                  MD5:5294778E41EE83E1F1E78B56466AD690
                                                                                                  SHA1:348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
                                                                                                  SHA-256:3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
                                                                                                  SHA-512:381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                                  Preview:.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.8637276669437455
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:hKWBNgRd7p.exe
                                                                                                  File size:1'073'152 bytes
                                                                                                  MD5:6733c81ba7e5e5a8bb1e10c032f5eeec
                                                                                                  SHA1:92494390952fcdc36cdfb005feeebf1970cd805b
                                                                                                  SHA256:1f28042480cd4617e127e0a40f0bd958bacba132d5d41a78a1a002529ed7b6da
                                                                                                  SHA512:7d156f1d6bd8b3aa250799933a508325007a038291b2a2806ddd4e812352fffbacf0436d2be15ba39f178ce6ec702ae27fcc7e1ae220958104d974d55f0435d3
                                                                                                  SSDEEP:24576:sBq0hfou3dT5ob2TfflMT//75vhSJQ3rTyuBTdacjPhNjL6:Sq0hfJrob2zf2X7NhSS3nyCPn
                                                                                                  TLSH:EA35E0749A95A1CBD381273CF9A43335953C5BF0E8E3EAC4FE726892EA157496C81DC0
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:e4e9d4f0d0e972c7

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4dface
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x6713B6F1 [Sat Oct 19 13:41:05 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdfa7c0x4f.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x27ea2.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1080000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000xddad40xddc00c3e74f5af16e0b7a71e20986df18ddd8False0.9396182708568207data7.997522656043478IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xe00000x27ea20x280009dbd5e3e920fcf2e7b60b0aeb5ab50f9False0.4015625data5.659796625821392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x1080000xc0x20019cce3953bf3c5ca9bdc1718c0dd0105False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0xe01300x27928Device independent bitmap graphic, 204 x 384 x 32, image size 1566720.40137456196633925
                                                                                                  RT_GROUP_ICON0x107a580x14data1.1
                                                                                                  RT_VERSION0x107a6c0x24cdata0.4744897959183674
                                                                                                  RT_MANIFEST0x107cb80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-10-20T01:29:07.284361+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549707172.67.203.125443TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 20, 2024 01:29:02.810298920 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:02.810329914 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:02.810405970 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:02.828049898 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:02.828063965 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.468672037 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.468746901 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:03.587749958 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:03.587763071 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.588803053 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.632169962 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:03.715329885 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:03.755431890 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.957039118 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.957247019 CEST44349704172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:03.957310915 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:03.993937016 CEST49704443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:05.338365078 CEST4970680192.168.2.5208.95.112.1
                                                                                                  Oct 20, 2024 01:29:05.343318939 CEST8049706208.95.112.1192.168.2.5
                                                                                                  Oct 20, 2024 01:29:05.343403101 CEST4970680192.168.2.5208.95.112.1
                                                                                                  Oct 20, 2024 01:29:05.343687057 CEST4970680192.168.2.5208.95.112.1
                                                                                                  Oct 20, 2024 01:29:05.348510981 CEST8049706208.95.112.1192.168.2.5
                                                                                                  Oct 20, 2024 01:29:05.953402996 CEST8049706208.95.112.1192.168.2.5
                                                                                                  Oct 20, 2024 01:29:06.007157087 CEST4970680192.168.2.5208.95.112.1
                                                                                                  Oct 20, 2024 01:29:06.506864071 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:06.506891012 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:06.506973982 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:06.508861065 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:06.508873940 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.121189117 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.121267080 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:07.123188019 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:07.123195887 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.123704910 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.124800920 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:07.171401024 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.284471035 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.284781933 CEST44349707172.67.203.125192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.284837008 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:07.285325050 CEST49707443192.168.2.5172.67.203.125
                                                                                                  Oct 20, 2024 01:29:07.608397007 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:07.608496904 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.608622074 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:07.608931065 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:07.608964920 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.477272034 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.477511883 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:08.481168985 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:08.481205940 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.481451035 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.482613087 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:08.523438931 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.939502954 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.939577103 CEST44349708128.116.123.3192.168.2.5
                                                                                                  Oct 20, 2024 01:29:08.939974070 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:08.948358059 CEST49708443192.168.2.5128.116.123.3
                                                                                                  Oct 20, 2024 01:29:10.506443977 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:10.506484032 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:10.506570101 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:10.506872892 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:10.506886959 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.140053988 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.140136957 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:11.144644976 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:11.144651890 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.144944906 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.156522036 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:11.199409962 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.632189035 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.632288933 CEST44349712104.20.22.46192.168.2.5
                                                                                                  Oct 20, 2024 01:29:11.632397890 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:11.670346975 CEST49712443192.168.2.5104.20.22.46
                                                                                                  Oct 20, 2024 01:29:31.521873951 CEST4970680192.168.2.5208.95.112.1

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 20, 2024 01:29:02.796992064 CEST5518753192.168.2.51.1.1.1
                                                                                                  Oct 20, 2024 01:29:02.804908037 CEST53551871.1.1.1192.168.2.5
                                                                                                  Oct 20, 2024 01:29:05.326231956 CEST6353553192.168.2.51.1.1.1
                                                                                                  Oct 20, 2024 01:29:05.333462000 CEST53635351.1.1.1192.168.2.5
                                                                                                  Oct 20, 2024 01:29:07.597062111 CEST5145153192.168.2.51.1.1.1
                                                                                                  Oct 20, 2024 01:29:07.604362965 CEST53514511.1.1.1192.168.2.5
                                                                                                  Oct 20, 2024 01:29:10.496304989 CEST5999553192.168.2.51.1.1.1
                                                                                                  Oct 20, 2024 01:29:10.505816936 CEST53599951.1.1.1192.168.2.5

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Oct 20, 2024 01:29:02.796992064 CEST192.168.2.51.1.1.10xd0acStandard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:05.326231956 CEST192.168.2.51.1.1.10x9203Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:07.597062111 CEST192.168.2.51.1.1.10xd6e8Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:10.496304989 CEST192.168.2.51.1.1.10x414bStandard query (0)www.nodejs.orgA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Oct 20, 2024 01:29:02.804908037 CEST1.1.1.1192.168.2.50xd0acNo error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:02.804908037 CEST1.1.1.1192.168.2.50xd0acNo error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:05.333462000 CEST1.1.1.1192.168.2.50x9203No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:07.604362965 CEST1.1.1.1192.168.2.50xd6e8No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:07.604362965 CEST1.1.1.1192.168.2.50xd6e8No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:07.604362965 CEST1.1.1.1192.168.2.50xd6e8No error (0)edge-term4.roblox.comedge-term4-fra2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:07.604362965 CEST1.1.1.1192.168.2.50xd6e8No error (0)edge-term4-fra2.roblox.com128.116.123.3A (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:10.505816936 CEST1.1.1.1192.168.2.50x414bNo error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                  Oct 20, 2024 01:29:10.505816936 CEST1.1.1.1192.168.2.50x414bNo error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • getsolara.dev
                                                                                                  • clientsettings.roblox.com
                                                                                                  • www.nodejs.org
                                                                                                  • ip-api.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.549706208.95.112.1806300C:\Users\user\AppData\Roaming\Xslide.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 20, 2024 01:29:05.343687057 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                  Host: ip-api.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Oct 20, 2024 01:29:05.953402996 CEST174INHTTP/1.1 200 OK
                                                                                                  Date: Sat, 19 Oct 2024 23:29:05 GMT
                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                  Content-Length: 5
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  X-Ttl: 60
                                                                                                  X-Rl: 44
                                                                                                  Data Raw: 74 72 75 65 0a
                                                                                                  Data Ascii: true


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.549704172.67.203.1254436788C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-19 23:29:03 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                  Host: getsolara.dev
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-10-19 23:29:03 UTC1020INHTTP/1.1 200 OK
                                                                                                  Date: Sat, 19 Oct 2024 23:29:03 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Cache-Control: public, max-age=0, must-revalidate
                                                                                                  ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                  referrer-policy: strict-origin-when-cross-origin
                                                                                                  x-content-type-options: nosniff
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QhfiQOecnRa4fOLofvoyW5%2BR5omjS5MP30HBxrTom1wPEtrPYo3A8GW%2F2tSP3PBVLOnnPYNVR5nTZNTRZ53fV4H82uKzAUYVN9RuZxQaDjsPGxS%2BBvFR6MKl%2FZKu59lS"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Vary: Accept-Encoding
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Strict-Transport-Security: max-age=0
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8d548c4eaffbddb0-DFW
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1294&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=695&delivery_rate=2343042&cwnd=37&unsent_bytes=0&cid=58eb838e2144c7d4&ts=498&x=0"
                                                                                                  2024-10-19 23:29:03 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                  Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                  2024-10-19 23:29:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.549707172.67.203.1254436788C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-19 23:29:07 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                  Host: getsolara.dev
                                                                                                  2024-10-19 23:29:07 UTC1018INHTTP/1.1 200 OK
                                                                                                  Date: Sat, 19 Oct 2024 23:29:07 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Cache-Control: public, max-age=0, must-revalidate
                                                                                                  ETag: W/"d5b1b21ea841e30137558eeb7f510379"
                                                                                                  referrer-policy: strict-origin-when-cross-origin
                                                                                                  x-content-type-options: nosniff
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ht41pV%2FEhOaSrDHWGQo6cR0%2Bo7tQynljOcG2RemjXYPjcUoHxjKD4M78HfWvTFe4BeZq4ymUi3PS%2B6yv4mI2yfj6hSvlAroBNc0mKfGBHWWTmdnlsoeaeMZg1Cgo4giQ"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Vary: Accept-Encoding
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Strict-Transport-Security: max-age=0
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8d548c63f8c06c33-DFW
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=984&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2813&recv_bytes=694&delivery_rate=2931174&cwnd=251&unsent_bytes=0&cid=24159c1338567a23&ts=170&x=0"
                                                                                                  2024-10-19 23:29:07 UTC351INData Raw: 32 32 65 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 32 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 39 64 62 66 39 37 38 30 35 36 32 34 34 34 65 31 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 32 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 33 30 30 66 61 36 32 32 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                  Data Ascii: 22e{ "BootstrapperVersion": "1.22", "SupportedClient": "version-9dbf9780562444e1", "SoftwareVersion": "3.122", "BootstrapperUrl": "https://300fa622.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                  2024-10-19 23:29:07 UTC214INData Raw: 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 30 38 66 39 30 33 66 38 66 61 35 37 37 61 62 30 32 37 64 36 61 39 36 63 32 30 33 62 62 33 39 62 36 61 39 33 64 34 61 63 39 34 62 38 63 39 32 37 31 64 36 32 34 33 33 34 63 33 38 62 33 61 30 33 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 49 6d 70 72 6f 76 65 64 20 6c 6f 61 64 73 74 72 69 6e 67 20 74 69 6d 65 73 22 0a 7d 0d 0a
                                                                                                  Data Ascii: ps://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"08f903f8fa577ab027d6a96c203bb39b6a93d4ac94b8c9271d624334c38b3a03", "Changelog":"[+] Improved loadstring times"}
                                                                                                  2024-10-19 23:29:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.549708128.116.123.34436788C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-19 23:29:08 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                  Host: clientsettings.roblox.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-10-19 23:29:08 UTC576INHTTP/1.1 200 OK
                                                                                                  content-length: 119
                                                                                                  content-type: application/json; charset=utf-8
                                                                                                  date: Sat, 19 Oct 2024 23:29:08 GMT
                                                                                                  server: Kestrel
                                                                                                  cache-control: no-cache
                                                                                                  strict-transport-security: max-age=3600
                                                                                                  x-frame-options: SAMEORIGIN
                                                                                                  roblox-machine-id: f848f17e-311f-7fbf-5644-fe73e8166fd9
                                                                                                  x-roblox-region: us-central_rbx
                                                                                                  x-roblox-edge: fra2
                                                                                                  report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                  nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                  connection: close
                                                                                                  2024-10-19 23:29:08 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 34 37 2e 30 2e 36 34 37 30 37 31 37 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 39 64 62 66 39 37 38 30 35 36 32 34 34 34 65 31 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 34 37 30 37 31 37 22 7d
                                                                                                  Data Ascii: {"version":"0.647.0.6470717","clientVersionUpload":"version-9dbf9780562444e1","bootstrapperVersion":"1, 6, 0, 6470717"}


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.549712104.20.22.464436788C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-19 23:29:11 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                  Host: www.nodejs.org
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-10-19 23:29:11 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                  Date: Sat, 19 Oct 2024 23:29:11 GMT
                                                                                                  Content-Type: text/plain
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Cache-Control: public, max-age=0, must-revalidate
                                                                                                  location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                  x-vercel-id: cle1::4zfpd-1729380551527-298ab44bdc40
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8d548c7d2c0b4660-DFW
                                                                                                  2024-10-19 23:29:11 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                  Data Ascii: fRedirecting...
                                                                                                  2024-10-19 23:29:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:19:29:00
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Users\user\Desktop\hKWBNgRd7p.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\Desktop\hKWBNgRd7p.exe"
                                                                                                  Imagebase:0xe80000
                                                                                                  File size:1'073'152 bytes
                                                                                                  MD5 hash:6733C81BA7E5E5A8BB1E10C032F5EEEC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2046437640.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:19:29:01
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\Xslide.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Xslide.exe"
                                                                                                  Imagebase:0xe20000
                                                                                                  File size:78'336 bytes
                                                                                                  MD5 hash:92D8E68510A37876B612FE5DE1204F19
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2338478812.000000000307C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.2043977580.0000000000E22000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Xslide.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Xslide.exe, Author: Joe Security
                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Xslide.exe, Author: ditekSHen
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 88%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:19:29:01
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\BootstrapperV1.22.exe"
                                                                                                  Imagebase:0x1eda4090000
                                                                                                  File size:819'200 bytes
                                                                                                  MD5 hash:2A4DCF20B82896BE94EB538260C5FB93
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 63%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:19:29:01
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:19:29:01
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"cmd" /c ipconfig /all
                                                                                                  Imagebase:0x7ff6e8bc0000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:19:29:01
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:19:29:01
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Windows\System32\ipconfig.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:ipconfig /all
                                                                                                  Imagebase:0x7ff762920000
                                                                                                  File size:35'840 bytes
                                                                                                  MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:19:29:05
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6300 -s 1656
                                                                                                  Imagebase:0x7ff774c00000
                                                                                                  File size:570'736 bytes
                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:19:29:12
                                                                                                  Start date:19/10/2024
                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6788 -s 2196
                                                                                                  Imagebase:0x7ff774c00000
                                                                                                  File size:570'736 bytes
                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FF848DA1121 Relevance: .4, Instructions: 408COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e25c0c9682b2ecd9d15d3ebacaa184133699532277deb62895e2837a286fa3d3
                                                                                                    • Instruction ID: 44a8ce49fa342c680e7ecab4ec4a7881d47d0c9690113b0d2da72437a6e3e727
                                                                                                    • Opcode Fuzzy Hash: e25c0c9682b2ecd9d15d3ebacaa184133699532277deb62895e2837a286fa3d3
                                                                                                    • Instruction Fuzzy Hash: E521A131F1994D9FEB84FB6C98996B977E2EF99741B04007AE40EC3297EE289C458701
                                                                                                    Function 00007FF848DA09F7 Relevance: .2, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d0559bf08aa53076b7d3893762536527e62579363d50330845b400c4267b97db
                                                                                                    • Instruction ID: a0189262986f727b8bdeee2db974720c2741ff3a75a5bbd137277a370475db15
                                                                                                    • Opcode Fuzzy Hash: d0559bf08aa53076b7d3893762536527e62579363d50330845b400c4267b97db
                                                                                                    • Instruction Fuzzy Hash: 3C713E30A199098FEB98FB68C498B6DB7E2FF54355F644268E05AD32D1CF38AC45CB44
                                                                                                    Function 00007FF848DA0D80 Relevance: .1, Instructions: 110COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c1dd9ed8c7b9d7ff0eb58c3b2fe2893b72bf52ba40f5d6f87aef24f84dc98ae1
                                                                                                    • Instruction ID: bb3347ec27f8120550578c51e587a190ec59df0bb4f4d36260bbe4a7eeb5cfc4
                                                                                                    • Opcode Fuzzy Hash: c1dd9ed8c7b9d7ff0eb58c3b2fe2893b72bf52ba40f5d6f87aef24f84dc98ae1
                                                                                                    • Instruction Fuzzy Hash: 26319A6284E3C69FD74367705C664A17FF09E47260B0E40EBD4C4CB4E3D61C6A9AC762
                                                                                                    Function 00007FF848DA0498 Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 69407208162ae05a38fb4b728b54fb31263a8195a86b9cb7c76b33fef75db425
                                                                                                    • Instruction ID: 616cde9909008fa2dae556b9cc70f130a0ee8d6ef24894ed413d91e3eb325079
                                                                                                    • Opcode Fuzzy Hash: 69407208162ae05a38fb4b728b54fb31263a8195a86b9cb7c76b33fef75db425
                                                                                                    • Instruction Fuzzy Hash: 5B218131F1994D9FEB84FA6898996BD77E2EB98741B04007AD40ED3296EE28AC458700
                                                                                                    Function 00007FF848DA0951 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e493b194e47a38f2c6df1b67e07569e61b2485f62f913e9af314ef0abd885aa4
                                                                                                    • Instruction ID: 821c6cd2fd164a37bdd3ca4040ba0f3786290cca74b8ef1f070dc237aee37734
                                                                                                    • Opcode Fuzzy Hash: e493b194e47a38f2c6df1b67e07569e61b2485f62f913e9af314ef0abd885aa4
                                                                                                    • Instruction Fuzzy Hash: 9011AC71C09B488FEB44EFA8C4493EDBBF1FF58314F24416AD444E7282DB79994A8B45
                                                                                                    Function 00007FF848DA0E71 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fe4980d61ea0949b4399ec667a1e6284a39884c0d6545378812ad08727b487eb
                                                                                                    • Instruction ID: 54c0af94902ddd1627efe5aab9f6df0aad9c1e918c4a69072d765ce71da3b4d7
                                                                                                    • Opcode Fuzzy Hash: fe4980d61ea0949b4399ec667a1e6284a39884c0d6545378812ad08727b487eb
                                                                                                    • Instruction Fuzzy Hash: 58012130A2EA898FD784FB3898922B833D1EF88754F14007AC549C3386DF2CAC468785
                                                                                                    Function 00007FF848DA0EF9 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f7e452fbe2b1d4ac0e26ce7b92491d1bb9c74374e29417edb85d3a56fd4a6f7e
                                                                                                    • Instruction ID: 33c5db08eb0aa707bf9d58eeb1a33c665f74a6e6c5a5553cd72fa39fca70e71c
                                                                                                    • Opcode Fuzzy Hash: f7e452fbe2b1d4ac0e26ce7b92491d1bb9c74374e29417edb85d3a56fd4a6f7e
                                                                                                    • Instruction Fuzzy Hash: E7012422D0E7858FF314BB78585A2B0BBD0EF45284F1A40FAD049C3093EE18AC498351
                                                                                                    Function 00007FF848DA04B0 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b7873bb0e3b58eecd9057d993956ab51b91c25be9f0fcbcf0a04dab78c1a05ec
                                                                                                    • Instruction ID: 924da3164a21a8cd225015b8bf8b5971d49dab82ec86a512eb15c8cea4b94ed0
                                                                                                    • Opcode Fuzzy Hash: b7873bb0e3b58eecd9057d993956ab51b91c25be9f0fcbcf0a04dab78c1a05ec
                                                                                                    • Instruction Fuzzy Hash: 01F0FF30B2EA199FD694F628988077973D2EB88794F600039D40EC3384DF2CA8428785
                                                                                                    Function 00007FF848DA04A8 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6f306d2cc0280555729057e80d7c0add26e390bc94b4e907106538d3939d1966
                                                                                                    • Instruction ID: 0d7fe17495357fa6d3ad55ed021a8db906907ded96b856933b47a55b66340c00
                                                                                                    • Opcode Fuzzy Hash: 6f306d2cc0280555729057e80d7c0add26e390bc94b4e907106538d3939d1966
                                                                                                    • Instruction Fuzzy Hash: 16F02830A2E65A9FD754F67C988177973D1EF88794F200139D50DC3285CF2CB8418784
                                                                                                    Function 00007FF848DA0F3F Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2047655465.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff848da0000_hKWBNgRd7p.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4d4ad9816f6292913eb5e43ee6dd1d50bb2deb39b935287037083bf143b47ed5
                                                                                                    • Instruction ID: ee9cea6a4ca083c3a1e494709dff1963416cce30f4d0cba1c34d0b2445bce957
                                                                                                    • Opcode Fuzzy Hash: 4d4ad9816f6292913eb5e43ee6dd1d50bb2deb39b935287037083bf143b47ed5
                                                                                                    • Instruction Fuzzy Hash: 65E0CD11F1DE094FF79C757D68553B4B7C2DB88650F501039E00EC32C7DD499C864285

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:12.3%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:100%
                                                                                                    Total number of Nodes:3
                                                                                                    Total number of Limit Nodes:0
                                                                                                    execution_graph 3252 7ff848d87a71 3253 7ff848d87a8c CheckRemoteDebuggerPresent 3252->3253 3255 7ff848d87b2f 3253->3255

                                                                                                    Executed Functions

                                                                                                    Function 00007FF848D87A71 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                    • String ID:
                                                                                                    • API String ID: 3662101638-0
                                                                                                    • Opcode ID: 9d79fa58929f7c59e7601720526e328407d4ad3a12a03fbf2772b19f737f4718
                                                                                                    • Instruction ID: 6a6530f7bdc20a1f0e000331404d954e9f5e5d583c746057467f67275ae408b2
                                                                                                    • Opcode Fuzzy Hash: 9d79fa58929f7c59e7601720526e328407d4ad3a12a03fbf2772b19f737f4718
                                                                                                    • Instruction Fuzzy Hash: 6051013180D68C8FDB55EB6988457F97FE0FF56321F0802AAD498C7192DB38A949CB91
                                                                                                    Function 00007FF848D816E9 Relevance: .7, Instructions: 701COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 106 7ff848d816e9-7ff848d816ea 107 7ff848d816ec-7ff848d8170b 106->107 108 7ff848d81734-7ff848d81750 106->108 115 7ff848d8170d-7ff848d81715 107->115 116 7ff848d8177c-7ff848d81780 107->116 109 7ff848d81f7a-7ff848d81fc1 108->109 110 7ff848d81756-7ff848d81764 call 7ff848d80620 108->110 121 7ff848d81769-7ff848d81787 call 7ff848d80620 110->121 115->108 118 7ff848d8178c-7ff848d81885 call 7ff848d80620 * 6 call 7ff848d80a48 116->118 119 7ff848d81787 call 7ff848d80620 116->119 156 7ff848d8188f-7ff848d81901 call 7ff848d804b0 call 7ff848d80358 call 7ff848d80368 118->156 157 7ff848d81887-7ff848d8188e 118->157 119->118 121->118 170 7ff848d81914-7ff848d81924 156->170 171 7ff848d81903-7ff848d8190d 156->171 157->156 174 7ff848d8194c-7ff848d8196c 170->174 175 7ff848d81926-7ff848d81945 call 7ff848d80358 170->175 171->170 181 7ff848d8196e-7ff848d81978 call 7ff848d80378 174->181 182 7ff848d8197d-7ff848d819e1 call 7ff848d81038 174->182 175->174 181->182 192 7ff848d819e7-7ff848d81a7c 182->192 193 7ff848d81a81-7ff848d81b0f 182->193 212 7ff848d81b16-7ff848d81c54 call 7ff848d80870 call 7ff848d80858 call 7ff848d80388 call 7ff848d80398 192->212 193->212 236 7ff848d81c56-7ff848d81c89 212->236 237 7ff848d81ca2-7ff848d81cd5 212->237 236->237 244 7ff848d81c8b-7ff848d81c98 236->244 247 7ff848d81cfa-7ff848d81d2a 237->247 248 7ff848d81cd7-7ff848d81cf8 237->248 244->237 249 7ff848d81c9a-7ff848d81ca0 244->249 250 7ff848d81d32-7ff848d81d69 247->250 248->250 249->237 257 7ff848d81d8e-7ff848d81dbe 250->257 258 7ff848d81d6b-7ff848d81d8c 250->258 259 7ff848d81dc6-7ff848d81e4a call 7ff848d803a8 call 7ff848d809e8 257->259 258->259 270 7ff848d81e4c-7ff848d81e51 259->270 271 7ff848d81e52-7ff848d81ea8 call 7ff848d81038 259->271 270->271 280 7ff848d81eaf-7ff848d81eba 271->280 281 7ff848d81eaa call 7ff848d81220 271->281 284 7ff848d81ebc-7ff848d81ec1 280->284 285 7ff848d81ec2-7ff848d81f48 280->285 281->280 284->285
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0472ef442f3aefe04f0999b5fc7f9dd650c6371f79edb3c49255598a38a3d126
                                                                                                    • Instruction ID: 99dbca291faad7ebdb729c4dc79b342d0acbe7ff9d99db675c65013001ab64aa
                                                                                                    • Opcode Fuzzy Hash: 0472ef442f3aefe04f0999b5fc7f9dd650c6371f79edb3c49255598a38a3d126
                                                                                                    • Instruction Fuzzy Hash: 2D22D520F2D9499FEB98FB2884597B9B7D2FF88780F440579D05EC32C6DE28AC498745
                                                                                                    Function 00007FF848D8172B Relevance: .7, Instructions: 652COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 294 7ff848d8172b-7ff848d81733 296 7ff848d81734-7ff848d81750 294->296 297 7ff848d81f7a-7ff848d81fc1 296->297 298 7ff848d81756-7ff848d81764 call 7ff848d80620 296->298 303 7ff848d81769-7ff848d81885 call 7ff848d80620 * 7 call 7ff848d80a48 298->303 339 7ff848d8188f-7ff848d81901 call 7ff848d804b0 call 7ff848d80358 call 7ff848d80368 303->339 340 7ff848d81887-7ff848d8188e 303->340 353 7ff848d81914-7ff848d81924 339->353 354 7ff848d81903-7ff848d8190d 339->354 340->339 357 7ff848d8194c-7ff848d8196c 353->357 358 7ff848d81926-7ff848d81945 call 7ff848d80358 353->358 354->353 364 7ff848d8196e-7ff848d81978 call 7ff848d80378 357->364 365 7ff848d8197d-7ff848d819e1 call 7ff848d81038 357->365 358->357 364->365 375 7ff848d819e7-7ff848d81a7c 365->375 376 7ff848d81a81-7ff848d81b0f 365->376 395 7ff848d81b16-7ff848d81c54 call 7ff848d80870 call 7ff848d80858 call 7ff848d80388 call 7ff848d80398 375->395 376->395 419 7ff848d81c56-7ff848d81c89 395->419 420 7ff848d81ca2-7ff848d81cd5 395->420 419->420 427 7ff848d81c8b-7ff848d81c98 419->427 430 7ff848d81cfa-7ff848d81d2a 420->430 431 7ff848d81cd7-7ff848d81cf8 420->431 427->420 432 7ff848d81c9a-7ff848d81ca0 427->432 433 7ff848d81d32-7ff848d81d69 430->433 431->433 432->420 440 7ff848d81d8e-7ff848d81dbe 433->440 441 7ff848d81d6b-7ff848d81d8c 433->441 442 7ff848d81dc6-7ff848d81e4a call 7ff848d803a8 call 7ff848d809e8 440->442 441->442 453 7ff848d81e4c-7ff848d81e51 442->453 454 7ff848d81e52-7ff848d81ea8 call 7ff848d81038 442->454 453->454 463 7ff848d81eaf-7ff848d81eba 454->463 464 7ff848d81eaa call 7ff848d81220 454->464 467 7ff848d81ebc-7ff848d81ec1 463->467 468 7ff848d81ec2-7ff848d81f48 463->468 464->463 467->468
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6684a11793f440f19a4592d69405dd870b7ed22010f8f97da0394e083aadbc50
                                                                                                    • Instruction ID: 1044894013b032034c73e0fec77b0ce0a159ca46772f9bbe3e7d354999b1088f
                                                                                                    • Opcode Fuzzy Hash: 6684a11793f440f19a4592d69405dd870b7ed22010f8f97da0394e083aadbc50
                                                                                                    • Instruction Fuzzy Hash: 7612B420F2D9499FEB98F72884597B9B7D2FF98780F440579D04EC32C6DE28AC498745
                                                                                                    Function 00007FF848D860B6 Relevance: .5, Instructions: 472COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 477 7ff848d860b6-7ff848d860c3 478 7ff848d860ce-7ff848d86106 477->478 479 7ff848d860c5-7ff848d860cd 477->479 480 7ff848d86107-7ff848d8612d 478->480 479->478 480->480 481 7ff848d8612f-7ff848d86197 480->481 484 7ff848d86199-7ff848d861a2 481->484 485 7ff848d86203 481->485 484->485 487 7ff848d861a4-7ff848d861b0 484->487 486 7ff848d86205-7ff848d8622a 485->486 494 7ff848d8622c-7ff848d86235 486->494 495 7ff848d86296 486->495 488 7ff848d861e9-7ff848d86201 487->488 489 7ff848d861b2-7ff848d861c4 487->489 488->486 491 7ff848d861c8-7ff848d861db 489->491 492 7ff848d861c6 489->492 491->491 493 7ff848d861dd-7ff848d861e5 491->493 492->491 493->488 494->495 496 7ff848d86237-7ff848d86243 494->496 497 7ff848d86298-7ff848d86340 495->497 498 7ff848d8627c-7ff848d86294 496->498 499 7ff848d86245-7ff848d86257 496->499 508 7ff848d863ae 497->508 509 7ff848d86342-7ff848d8634c 497->509 498->497 501 7ff848d8625b-7ff848d8626e 499->501 502 7ff848d86259 499->502 501->501 504 7ff848d86270-7ff848d86278 501->504 502->501 504->498 510 7ff848d863b0-7ff848d863d9 508->510 509->508 511 7ff848d8634e-7ff848d8635b 509->511 517 7ff848d863db-7ff848d863e6 510->517 518 7ff848d86443 510->518 512 7ff848d8635d-7ff848d8636f 511->512 513 7ff848d86394-7ff848d863ac 511->513 515 7ff848d86373-7ff848d86386 512->515 516 7ff848d86371 512->516 513->510 515->515 519 7ff848d86388-7ff848d86390 515->519 516->515 517->518 520 7ff848d863e8-7ff848d863f6 517->520 521 7ff848d86445-7ff848d864d6 518->521 519->513 522 7ff848d8642f-7ff848d86441 520->522 523 7ff848d863f8-7ff848d8640a 520->523 529 7ff848d864dc-7ff848d864eb 521->529 522->521 524 7ff848d8640e-7ff848d86421 523->524 525 7ff848d8640c 523->525 524->524 527 7ff848d86423-7ff848d8642b 524->527 525->524 527->522 530 7ff848d864ed 529->530 531 7ff848d864f3-7ff848d86529 529->531 530->531 536 7ff848d8652a-7ff848d86550 call 7ff848d86574 531->536 539 7ff848d86552-7ff848d86558 536->539 540 7ff848d8655f-7ff848d86572 539->540 541 7ff848d8655a 539->541 541->540
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 142fcedaab7f6cd61bb7231ac05fd1b620e1408cd2539821455609f9f6d5dfe8
                                                                                                    • Instruction ID: 43eb605fee2da376e436ebc967e2c29793bf31c7302a65e0929e0356741fda68
                                                                                                    • Opcode Fuzzy Hash: 142fcedaab7f6cd61bb7231ac05fd1b620e1408cd2539821455609f9f6d5dfe8
                                                                                                    • Instruction Fuzzy Hash: FCF1C43090DA8D8FEBA8EF28DC597E937D1FF54350F04466AD85DC7295DB3498448B82
                                                                                                    Function 00007FF848D86E62 Relevance: .5, Instructions: 458COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 542 7ff848d86e62-7ff848d86e6f 543 7ff848d86e7a-7ff848d86eb6 542->543 544 7ff848d86e71-7ff848d86e79 542->544 546 7ff848d86eb7-7ff848d86edd 543->546 544->543 546->546 547 7ff848d86edf-7ff848d86f47 546->547 550 7ff848d86f49-7ff848d86f52 547->550 551 7ff848d86fb3 547->551 550->551 552 7ff848d86f54-7ff848d86f60 550->552 553 7ff848d86fb5-7ff848d86fda 551->553 554 7ff848d86f99-7ff848d86fb1 552->554 555 7ff848d86f62-7ff848d86f74 552->555 560 7ff848d86fdc-7ff848d86fe5 553->560 561 7ff848d87046 553->561 554->553 556 7ff848d86f78-7ff848d86f8b 555->556 557 7ff848d86f76 555->557 556->556 559 7ff848d86f8d-7ff848d86f95 556->559 557->556 559->554 560->561 563 7ff848d86fe7-7ff848d86ff3 560->563 562 7ff848d87048-7ff848d8706d 561->562 570 7ff848d8706f-7ff848d87079 562->570 571 7ff848d870db 562->571 564 7ff848d8702c-7ff848d87044 563->564 565 7ff848d86ff5-7ff848d87007 563->565 564->562 566 7ff848d8700b-7ff848d8701e 565->566 567 7ff848d87009 565->567 566->566 569 7ff848d87020-7ff848d87028 566->569 567->566 569->564 570->571 573 7ff848d8707b-7ff848d87088 570->573 572 7ff848d870dd-7ff848d8710b 571->572 579 7ff848d8710d-7ff848d87118 572->579 580 7ff848d8717b 572->580 574 7ff848d8708a-7ff848d8709c 573->574 575 7ff848d870c1-7ff848d870d9 573->575 577 7ff848d8709e 574->577 578 7ff848d870a0-7ff848d870b3 574->578 575->572 577->578 578->578 581 7ff848d870b5-7ff848d870bd 578->581 579->580 582 7ff848d8711a-7ff848d87128 579->582 583 7ff848d8717d-7ff848d87255 580->583 581->575 584 7ff848d8712a-7ff848d8713c 582->584 585 7ff848d87161-7ff848d87179 582->585 593 7ff848d8725b-7ff848d8726a 583->593 586 7ff848d8713e 584->586 587 7ff848d87140-7ff848d87153 584->587 585->583 586->587 587->587 589 7ff848d87155-7ff848d8715d 587->589 589->585 594 7ff848d8726c 593->594 595 7ff848d87272-7ff848d872a5 593->595 594->595 600 7ff848d872a6-7ff848d872cc call 7ff848d872f0 595->600 603 7ff848d872ce-7ff848d872d4 600->603 604 7ff848d872db-7ff848d872ee 603->604 605 7ff848d872d6 603->605 605->604
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d271b72379f5f773ca102d816235715ceb49a0935bf01e899451c31ef74411a
                                                                                                    • Instruction ID: 6c6619e8dec75462b893fcaab4fadee998ce73c010e527a46f945c3d99bcaf6d
                                                                                                    • Opcode Fuzzy Hash: 0d271b72379f5f773ca102d816235715ceb49a0935bf01e899451c31ef74411a
                                                                                                    • Instruction Fuzzy Hash: EEE1B23090DA8E8FEBA8EF28C8557E977E1FB54350F14426AE85DC7295DF3898448B81
                                                                                                    Function 00007FF848D82321 Relevance: .4, Instructions: 409COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 606 7ff848d82321-7ff848d82326 607 7ff848d82328-7ff848d8233a 606->607 608 7ff848d8233c-7ff848d82345 607->608 609 7ff848d82384-7ff848d823c8 607->609 608->607 608->609 612 7ff848d823ca-7ff848d823de call 7ff848d812e8 609->612 614 7ff848d823e3-7ff848d823f6 612->614 615 7ff848d823f8-7ff848d8241c 614->615 616 7ff848d82423-7ff848d82466 615->616 620 7ff848d82468-7ff848d82473 616->620 621 7ff848d826eb-7ff848d826f3 call 7ff848d82738 620->621 622 7ff848d82479-7ff848d82484 620->622 627 7ff848d826ff-7ff848d82707 call 7ff848d82787 621->627 623 7ff848d82486-7ff848d82490 622->623 626 7ff848d82497-7ff848d824d1 623->626 639 7ff848d824ed-7ff848d824fe 626->639 640 7ff848d824d3-7ff848d824eb 626->640 632 7ff848d82713-7ff848d8271b call 7ff848d827d8 627->632 636 7ff848d82727-7ff848d82729 632->636 638 7ff848d8272c-7ff848d82736 636->638 641 7ff848d82508-7ff848d8254b 639->641 640->641 648 7ff848d82607-7ff848d8262b 641->648 649 7ff848d82551-7ff848d82588 641->649 653 7ff848d826e2-7ff848d826e9 648->653 654 7ff848d82631-7ff848d82668 648->654 664 7ff848d8258a-7ff848d825a2 649->664 665 7ff848d825a4-7ff848d825b5 649->665 653->621 655 7ff848d826f5-7ff848d826fd call 7ff848d82738 653->655 673 7ff848d8266a-7ff848d82682 654->673 674 7ff848d82684-7ff848d82695 654->674 655->627 662 7ff848d82709-7ff848d82711 call 7ff848d82787 655->662 662->632 670 7ff848d8271d-7ff848d82725 call 7ff848d827d8 662->670 668 7ff848d825bf-7ff848d82601 664->668 665->668 668->648 668->653 670->636 670->638 676 7ff848d8269f-7ff848d826c0 673->676 674->676 676->653 683 7ff848d826c2-7ff848d826da 676->683 683->622 685 7ff848d826e0 683->685 685->621
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6de9b1bd58c408d4e6fffa01491a39a89823f67bcae2854aca50c48baa63bf2e
                                                                                                    • Instruction ID: fb4b55f30c470981cf0e38fe34e400ffd87f36668b4b8af2d6cb3d98f68ad9ae
                                                                                                    • Opcode Fuzzy Hash: 6de9b1bd58c408d4e6fffa01491a39a89823f67bcae2854aca50c48baa63bf2e
                                                                                                    • Instruction Fuzzy Hash: 64C19030F1E94A5FEB98FA2888663B977D2FF98745F140179D05EC32C2DF28A8468745
                                                                                                    Function 00007FF848D820ED Relevance: .2, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34e242fa9e0e7ad2873cf6c35a8d22acad8bfed9e6eee193962c925a04375c7c
                                                                                                    • Instruction ID: 8d433e2374929622a9dbb9e07fe1a36927e94e8c0d571cf61a3cd3aed39f2267
                                                                                                    • Opcode Fuzzy Hash: 34e242fa9e0e7ad2873cf6c35a8d22acad8bfed9e6eee193962c925a04375c7c
                                                                                                    • Instruction Fuzzy Hash: 64513120A1E6C95FD786AB384864376BFE0EF97255F1800FAE09DC71D7EE08080AC356

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF848D80860 Relevance: .7, Instructions: 734COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 37c9a841bd9ed8f6d7d2d5e20a5b887340f6fa1a52e162e1a4beb78dc498bba7
                                                                                                    • Instruction ID: c8f054565a1dfebb4fc3a52d74d9078f381a84c928274509a8d54f9b361aa30f
                                                                                                    • Opcode Fuzzy Hash: 37c9a841bd9ed8f6d7d2d5e20a5b887340f6fa1a52e162e1a4beb78dc498bba7
                                                                                                    • Instruction Fuzzy Hash: 3C32A720B2D9499FEB98FB28845A7B9B7D2FF98780F440579D04EC32C6DF28AC458745
                                                                                                    Function 00007FF848D81038 Relevance: .4, Instructions: 372COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2339692454.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848d80000_Xslide.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4af1d64fd7cbd123b74f597aa53b05fb7a0c276aafb519c75f7a9f1fe052981f
                                                                                                    • Instruction ID: 9af5574a8e5a7018a1fe5c0510611a6884c1e996656f63e6fefefab339603406
                                                                                                    • Opcode Fuzzy Hash: 4af1d64fd7cbd123b74f597aa53b05fb7a0c276aafb519c75f7a9f1fe052981f
                                                                                                    • Instruction Fuzzy Hash: C1A13A2790F562AAD611B7BE74692F97F10FF813B5F0841B7D18C8E0979E04244E82F8

                                                                                                    Executed Functions

                                                                                                    Function 00007FF848DB6DB0 Relevance: 7.2, Strings: 5, Instructions: 941COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8KH$8KH$8KH$8KH$8KH
                                                                                                    • API String ID: 0-2654934027
                                                                                                    • Opcode ID: 5f8ccda46b3d850cde2d2dca7e2fc87d9ab10eb59a7fbd2817508967694251b1
                                                                                                    • Instruction ID: ef3a44ebe55c4bc964a2d24715f54f6de7eee6f95329b09092f297a797e5a65b
                                                                                                    • Opcode Fuzzy Hash: 5f8ccda46b3d850cde2d2dca7e2fc87d9ab10eb59a7fbd2817508967694251b1
                                                                                                    • Instruction Fuzzy Hash: E2628F30A1D9499FDB98EF18C855BA937E2FF68384F0101B9E44DD3296DF28EC458B44
                                                                                                    Function 00007FF848DC2540 Relevance: .6, Instructions: 623COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c5ee66c4b97bda02838e7aa8efdcefecd0816f08a6ed3830fb36eb1c033c0ea
                                                                                                    • Instruction ID: 1a98371cede0ad919b051fd3234e6513f0b946c2a8831e241cb0e81285fcb8a7
                                                                                                    • Opcode Fuzzy Hash: 9c5ee66c4b97bda02838e7aa8efdcefecd0816f08a6ed3830fb36eb1c033c0ea
                                                                                                    • Instruction Fuzzy Hash: 6022C63191DB858FD359EF2884447A6BBE1FFA5340F0486BED48AC7296DF24E849C781
                                                                                                    Function 00007FF848DB6DB8 Relevance: 7.9, Strings: 6, Instructions: 374COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: PfH$`dH$hfH$pdH$pfH$xdH
                                                                                                    • API String ID: 0-822065893
                                                                                                    • Opcode ID: ed0b219d089b9433b85c8f6b1122fd720aac1e2fbd1ceb5dd1e7a41a63600416
                                                                                                    • Instruction ID: 24f0fadb71da3fd80c90757e374fcf9eda6e232b7c9bcab39bc69698957dfc9d
                                                                                                    • Opcode Fuzzy Hash: ed0b219d089b9433b85c8f6b1122fd720aac1e2fbd1ceb5dd1e7a41a63600416
                                                                                                    • Instruction Fuzzy Hash: A5B11A72E0F9838FE255F67CA8592747BD1FF916A1F0401BBD088C71A7EE18984D8399
                                                                                                    Function 00007FF848DB59E8 Relevance: 4.3, Strings: 3, Instructions: 570COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `nH$`pH$`pH
                                                                                                    • API String ID: 0-1365947821
                                                                                                    • Opcode ID: 4a5402bc0d9cc8b4654ca69f68b3e7b8d62114c75ef20a8646c6a455a2a6d78b
                                                                                                    • Instruction ID: 25c76e6dee21f40b467c9c9a9f21bb9aca7755d2ffa795f6ab9988144db24716
                                                                                                    • Opcode Fuzzy Hash: 4a5402bc0d9cc8b4654ca69f68b3e7b8d62114c75ef20a8646c6a455a2a6d78b
                                                                                                    • Instruction Fuzzy Hash: C9F1E631F1EA0A4FE798F62C945977977D2FF98790F4402BAD00EC7296EE28AC464345
                                                                                                    Function 00007FF848DCF5B0 Relevance: 3.4, Strings: 2, Instructions: 920COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H$,J_L
                                                                                                    • API String ID: 0-3089097941
                                                                                                    • Opcode ID: 8d22f5b601c19045e2a68f3f417e3d7dfae10099d78595566384efd43bafcf7a
                                                                                                    • Instruction ID: 8dc5bacf622a4ac374998f2df718337ee1d4e0e26326c8802151a41cbf362cb4
                                                                                                    • Opcode Fuzzy Hash: 8d22f5b601c19045e2a68f3f417e3d7dfae10099d78595566384efd43bafcf7a
                                                                                                    • Instruction Fuzzy Hash: 77E16A31E1EA8A4FE749BA2C58552F57BD2EF953D4F0401BAD84EC3187DF64A8078346
                                                                                                    Function 00007FF848DC79D0 Relevance: 3.3, Strings: 2, Instructions: 789COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8KH$\
                                                                                                    • API String ID: 0-36124406
                                                                                                    • Opcode ID: 21a911c6416863924c1976c58fd2037c2a4250bd62bf1de1cc30d87c8198fe25
                                                                                                    • Instruction ID: dc9ef33d3e83f8ca83cba053f470bba22b3ca3622c25d50c673626be12d4910f
                                                                                                    • Opcode Fuzzy Hash: 21a911c6416863924c1976c58fd2037c2a4250bd62bf1de1cc30d87c8198fe25
                                                                                                    • Instruction Fuzzy Hash: 03321530A1DA468FE769EA2C844577977D1FF86380F14407ED48FC7292DF28B84A8756
                                                                                                    Function 00007FF848DBA7DA Relevance: 3.1, Strings: 2, Instructions: 560COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: vV_H$yV_H
                                                                                                    • API String ID: 0-3473733894
                                                                                                    • Opcode ID: 9ea973961ea4c5c314bf4352906b856b8a25877971bffd9c91e69fb3a9d63bd8
                                                                                                    • Instruction ID: 4b13652371fe92fecc2b9a42106b4f0d7d93276ee62c12f327dbfac2104ffb77
                                                                                                    • Opcode Fuzzy Hash: 9ea973961ea4c5c314bf4352906b856b8a25877971bffd9c91e69fb3a9d63bd8
                                                                                                    • Instruction Fuzzy Hash: 24121E71E1A9199FEBA4EA18D8997B873E1FB68350F4002F6D00DD3296DF346DC58B18
                                                                                                    Function 00007FF848DB6C90 Relevance: 2.7, Strings: 2, Instructions: 246COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #R_H$8KH
                                                                                                    • API String ID: 0-184637875
                                                                                                    • Opcode ID: a52d8ab74f75ccc71152a06eb0b3eb6c60b8c811abfc4b228ba783d2b33372e2
                                                                                                    • Instruction ID: 761aebcfe2678695a34f84ecb357a392a6e22107e5d81ac322c13ccc6b2e4e71
                                                                                                    • Opcode Fuzzy Hash: a52d8ab74f75ccc71152a06eb0b3eb6c60b8c811abfc4b228ba783d2b33372e2
                                                                                                    • Instruction Fuzzy Hash: AA71D730A1994E8FDF98EF5CC495BAA77E1FF68381F450179E40AD72A1CF24E8458B84
                                                                                                    Function 00007FF848DBBD19 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @aH$aH
                                                                                                    • API String ID: 0-2730490517
                                                                                                    • Opcode ID: bee9cec78cb5566697bde0b9ac5c05076be980cf17dd9f499dcc5268c62ca783
                                                                                                    • Instruction ID: 5eb6829acfc3fe5e03c2ee8b63dd4f3095db0f4db495f3b9ef0254e7e9abee39
                                                                                                    • Opcode Fuzzy Hash: bee9cec78cb5566697bde0b9ac5c05076be980cf17dd9f499dcc5268c62ca783
                                                                                                    • Instruction Fuzzy Hash: 2D517E31D0E98E4FE755EA6C98556F97BE1EF653A0F0402BAD00DC7193DE1DA9068340
                                                                                                    Function 00007FF848DB7404 Relevance: 1.8, Strings: 1, Instructions: 583COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xWH
                                                                                                    • API String ID: 0-3052588224
                                                                                                    • Opcode ID: 10210d1078c6221d41ad21e50938c4bfb3687ae01617516f662c088013ec1899
                                                                                                    • Instruction ID: ca176df03abb2154ddec89a5c44f4a820d4f8639d8eb5e3ffdba597c73749e4d
                                                                                                    • Opcode Fuzzy Hash: 10210d1078c6221d41ad21e50938c4bfb3687ae01617516f662c088013ec1899
                                                                                                    • Instruction Fuzzy Hash: A602D430A0DA498FD799EB28D4947B97BE1FFA5310F14427ED48AC7296CF24E846C781
                                                                                                    Function 00007FF848DBFA56 Relevance: 1.8, Strings: 1, Instructions: 561COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `nH
                                                                                                    • API String ID: 0-4131821249
                                                                                                    • Opcode ID: 1809c1aa12cba67b3b808ec34a14ced2ff7653392246e17c3c79e5a36d514d6c
                                                                                                    • Instruction ID: 44f1557cc273783379d7deb6f240ca193a8b1c911636b38da38fdd5ce255d128
                                                                                                    • Opcode Fuzzy Hash: 1809c1aa12cba67b3b808ec34a14ced2ff7653392246e17c3c79e5a36d514d6c
                                                                                                    • Instruction Fuzzy Hash: 4302B430A1DA898FE758EB28845977AB7E2FFA8340F44457ED48DC3292DF34E8458746
                                                                                                    Function 00007FF848DB5968 Relevance: 1.8, Strings: 1, Instructions: 555COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `nH
                                                                                                    • API String ID: 0-4131821249
                                                                                                    • Opcode ID: 88282f198778d4a972bea6fbed9077c027caecf2ec33918c91e889f25cffeb14
                                                                                                    • Instruction ID: c867b0e00096653e49254d942ff92476f41ef924935f88acedc7df0c84c4f6b3
                                                                                                    • Opcode Fuzzy Hash: 88282f198778d4a972bea6fbed9077c027caecf2ec33918c91e889f25cffeb14
                                                                                                    • Instruction Fuzzy Hash: 9202B330A1DA8A8FE758EB28845977AB7E2FFA8340F40457DD48DC3292DF34E8458746
                                                                                                    Function 00007FF848DC55A9 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8KH
                                                                                                    • API String ID: 0-532331567
                                                                                                    • Opcode ID: 06968956ce577e5c974073216954ecb4b6dbd51d9b92e9b7dd0d72e86d9f34d9
                                                                                                    • Instruction ID: 550c0791f4ff3d7a38493de799d1cfbf1f65d84eb3ac7916c84fad43eb69cc05
                                                                                                    • Opcode Fuzzy Hash: 06968956ce577e5c974073216954ecb4b6dbd51d9b92e9b7dd0d72e86d9f34d9
                                                                                                    • Instruction Fuzzy Hash: 44D1F630A0EA064FEB69B62854913B977E2FF557D0F65417AC08FC71C2DE2D788A4385
                                                                                                    Function 00007FF848DBB09A Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 9fd48e34038225a94bbd6e799b6cd33e1783349f9a3d4986298aaaff327e1c69
                                                                                                    • Instruction ID: d7e0142a9788851551b8b245247c265ed99a5de71839dd50a8332fbf78b4ca75
                                                                                                    • Opcode Fuzzy Hash: 9fd48e34038225a94bbd6e799b6cd33e1783349f9a3d4986298aaaff327e1c69
                                                                                                    • Instruction Fuzzy Hash: 0BC13130A1DB868FE769EB188440635B7E1FFA5390F1405BED08AC3297DE39F8068785
                                                                                                    Function 00007FF848DB93B0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 397a133057d5c559469429fb760d0178ed9a4d9a73d9dbbd6f435d5dd2206843
                                                                                                    • Instruction ID: 4341ada8938e340e4bfd37e6449a21da3d575aed2394e09211a9c03898ad26e3
                                                                                                    • Opcode Fuzzy Hash: 397a133057d5c559469429fb760d0178ed9a4d9a73d9dbbd6f435d5dd2206843
                                                                                                    • Instruction Fuzzy Hash: 1DC1FF30A1DB458FD768EB18D48163AB3E1FFA9394F20457DD08AC3296DA35F8478B85
                                                                                                    Function 00007FF848DC9860 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 646d315c8586937d327ce72976d90a5d21b8f488a882c5f3bd487cc039529ef3
                                                                                                    • Instruction ID: 84a101f93751827fb1dc94476c3fd34bc53eb87a55e8a9284694d6f70332a517
                                                                                                    • Opcode Fuzzy Hash: 646d315c8586937d327ce72976d90a5d21b8f488a882c5f3bd487cc039529ef3
                                                                                                    • Instruction Fuzzy Hash: 21B1EC30A1DB098FD769EB18D481636B3E1FF98380F144A7DD48AC3696DA35F8478B85
                                                                                                    Function 00007FF848DB6D10 Relevance: 1.6, Strings: 1, Instructions: 360COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8KH
                                                                                                    • API String ID: 0-532331567
                                                                                                    • Opcode ID: 248de663716ce9817981cc400f940b0433d2c8f69798f21d4708dcf8689b48c3
                                                                                                    • Instruction ID: 051e7c1ff051d2f2d30ad9dbb303ad8830fc87c300afe2f4107a8900f2924a8b
                                                                                                    • Opcode Fuzzy Hash: 248de663716ce9817981cc400f940b0433d2c8f69798f21d4708dcf8689b48c3
                                                                                                    • Instruction Fuzzy Hash: 1BA1E731A0CA484FEB68EB5CA84A6B87BD1FF99350F04017EE54ED3292DB25F845C785
                                                                                                    Function 00007FF848DB48E0 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ?J_H
                                                                                                    • API String ID: 0-2972039108
                                                                                                    • Opcode ID: a7cd267ae64ed9ee38088a28368c0b21dd145579d4033201607200263072b147
                                                                                                    • Instruction ID: a82ac8ef6d9065f8c4237f68e47c2993e27a41c64b4a057b88e24861b351cc82
                                                                                                    • Opcode Fuzzy Hash: a7cd267ae64ed9ee38088a28368c0b21dd145579d4033201607200263072b147
                                                                                                    • Instruction Fuzzy Hash: FCB11361E0E74A8FE765BA78C4543B977E1EF463D0F0541BAD04AC71C2EF2CA84A8359
                                                                                                    Function 00007FF848DB5918 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \Q_H
                                                                                                    • API String ID: 0-2294653880
                                                                                                    • Opcode ID: 403200e6d9df89d6b4bda6e4f021ff02499d0c9e9fab7f15133c7c8cfc5ef38b
                                                                                                    • Instruction ID: 468b8a3204ecb778fc17d6c67649f8e5a06b08e76f6d1e1d94d04005e6fe09a2
                                                                                                    • Opcode Fuzzy Hash: 403200e6d9df89d6b4bda6e4f021ff02499d0c9e9fab7f15133c7c8cfc5ef38b
                                                                                                    • Instruction Fuzzy Hash: 4D713B21F1ED864FE394A67C68593B47BD2EF99690F0901FBD04DC72EADD185C0A8345
                                                                                                    Function 00007FF848DCD668 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: dJ_H
                                                                                                    • API String ID: 0-2905161575
                                                                                                    • Opcode ID: 5a61ddc8f253a6bbd0cc9920284de8fdfd7489782f7078fbaafe19ccc283f89c
                                                                                                    • Instruction ID: 553f41774e3dca7dc6db5be902f1256d90c907cd8c130494a702ab646a7660f4
                                                                                                    • Opcode Fuzzy Hash: 5a61ddc8f253a6bbd0cc9920284de8fdfd7489782f7078fbaafe19ccc283f89c
                                                                                                    • Instruction Fuzzy Hash: 96513C22F0E94E4FD795E62C6C1927537D1EBE86E1B0402BBD40EC72D6DE289C4B8381
                                                                                                    Function 00007FF848DC28F4 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ({H
                                                                                                    • API String ID: 0-3175941682
                                                                                                    • Opcode ID: 343770f8286838adb84bb7136e0a15c2fe3ac0a0cb0d07f07a48aafa007e58df
                                                                                                    • Instruction ID: 97967e8ba0ad4425eac1c1ed12df9bb0b28cd10a5bb77454c6b1916cfa8a4360
                                                                                                    • Opcode Fuzzy Hash: 343770f8286838adb84bb7136e0a15c2fe3ac0a0cb0d07f07a48aafa007e58df
                                                                                                    • Instruction Fuzzy Hash: 7B51D830B1D9594FDBA4FA2D905967937D1EFA8790F0001BAF44AC3296DF28EC458386
                                                                                                    Function 00007FF848DB90CA Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `&H
                                                                                                    • API String ID: 0-2663744841
                                                                                                    • Opcode ID: af4fa9fde3e26f43b5319aa612089af8bc3d7eb0e94579c931dc80fbacd5dd67
                                                                                                    • Instruction ID: 8bc49946c9a5665052b54a821c9bb5684d42d064a27fc746b22b34183e05ff33
                                                                                                    • Opcode Fuzzy Hash: af4fa9fde3e26f43b5319aa612089af8bc3d7eb0e94579c931dc80fbacd5dd67
                                                                                                    • Instruction Fuzzy Hash: 9141303170DC0D9FEAE4EA4CE498BA473D1EFA93A1F1405B6D04DC73AADA15DC468780
                                                                                                    Function 00007FF848DB7C50 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: _
                                                                                                    • API String ID: 0-701932520
                                                                                                    • Opcode ID: 936b43e97a27b308d2418c2d9956d27e14c2d90b515fe7945251b6e85d1bbbff
                                                                                                    • Instruction ID: cac7676bc27802a58b17afa12e111a762852d4d4a53793a6671fbb8f74773e7d
                                                                                                    • Opcode Fuzzy Hash: 936b43e97a27b308d2418c2d9956d27e14c2d90b515fe7945251b6e85d1bbbff
                                                                                                    • Instruction Fuzzy Hash: 77413833E0F5555FE314B76CB8556F97790EF912B4F0842B7D088CB197DA08A48A83A8
                                                                                                    Function 00007FF848DCFBE9 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H
                                                                                                    • API String ID: 0-3524016112
                                                                                                    • Opcode ID: b3691658696a94423f161ff6d93d9435d8be03567dbc112616b44d2781e97a16
                                                                                                    • Instruction ID: deeff224b1a18711fde594825105a4306385898ace98d39e30022ea992ca0a39
                                                                                                    • Opcode Fuzzy Hash: b3691658696a94423f161ff6d93d9435d8be03567dbc112616b44d2781e97a16
                                                                                                    • Instruction Fuzzy Hash: D631C531A0CA4D4FDB58FA1C988566577E1FFA9780F14016EE84DC3256DF61EC428785
                                                                                                    Function 00007FF848DB2C98 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xWH
                                                                                                    • API String ID: 0-3052588224
                                                                                                    • Opcode ID: df1772620e76dbe32e37d3f848a97a8698b97668d2f477395002abc277108225
                                                                                                    • Instruction ID: 3b748dec7160774ca193770d25a8f611e1984ae384488caaadafa038a88d0544
                                                                                                    • Opcode Fuzzy Hash: df1772620e76dbe32e37d3f848a97a8698b97668d2f477395002abc277108225
                                                                                                    • Instruction Fuzzy Hash: B931AE31F0981D8FEB98EB1DA4897B973E2FBA8751F0400BAE40ED7295DE249C054389
                                                                                                    Function 00007FF848DB49F2 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xWH
                                                                                                    • API String ID: 0-3052588224
                                                                                                    • Opcode ID: e26b44c2e07865104048fa73de8ca432fa4ba9ff2a6103b155fc7a27e9dc1417
                                                                                                    • Instruction ID: 127929f82220dba809b2c8655647a06a43e00f1e5ca5a3754bac2c53493451f5
                                                                                                    • Opcode Fuzzy Hash: e26b44c2e07865104048fa73de8ca432fa4ba9ff2a6103b155fc7a27e9dc1417
                                                                                                    • Instruction Fuzzy Hash: AB31B431E0DA5C4FDB95EB2C98597A97BE1FFA9350F0901B7E40DC7296CE249C098385
                                                                                                    Function 00007FF848DB118C Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID: 0-3916222277
                                                                                                    • Opcode ID: 82bf686c07404d84a6533bc3c9a643e79ab708a336f5a30d2784f78547e65f9a
                                                                                                    • Instruction ID: 5825119f6b08f9745284fbd5f0e93ad4c9214bc1240c24003b92248ba2d4207d
                                                                                                    • Opcode Fuzzy Hash: 82bf686c07404d84a6533bc3c9a643e79ab708a336f5a30d2784f78547e65f9a
                                                                                                    • Instruction Fuzzy Hash: 4111BE7045D3C69FDB44EF68C4852A97BE0EB5A364F5406BDD48AC7292DB3C9906CB02
                                                                                                    Function 00007FF848DB4D51 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: P\H
                                                                                                    • API String ID: 0-702380682
                                                                                                    • Opcode ID: 50efe0ca432ef91660988a81f4e56fc24e7dc9577c8fbe5baff4686bb9018330
                                                                                                    • Instruction ID: eca5bd236d6ef0e6ab30db83ab6f1f119c873cbdc738a826622a011d84eb6cf6
                                                                                                    • Opcode Fuzzy Hash: 50efe0ca432ef91660988a81f4e56fc24e7dc9577c8fbe5baff4686bb9018330
                                                                                                    • Instruction Fuzzy Hash: E701D131C0E5896FD716EB3898596F97FF0EF65240F4501EAD488C71A2DA6865088312
                                                                                                    Function 00007FF848DC6F9D Relevance: .5, Instructions: 535COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ae4f7d9a57b45ac50b78323df7b160768879df62d8930f439b9d0747f714301f
                                                                                                    • Instruction ID: 1b528b193405bcc0425aaba993d1150aeb85001a0a620a9b2bec3f2e867e3251
                                                                                                    • Opcode Fuzzy Hash: ae4f7d9a57b45ac50b78323df7b160768879df62d8930f439b9d0747f714301f
                                                                                                    • Instruction Fuzzy Hash: C7F10421F1DA4A4FEB99A73C541A3B977D1EF99790F0402BAD04DC3287DF2CA8068345
                                                                                                    Function 00007FF848DCBD9E Relevance: .5, Instructions: 467COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6fcd7899351a49602c3cb1180c57e5bb903d819479aebac0171d2e55ee97e8cb
                                                                                                    • Instruction ID: d43fba56cde749f1d147fddf17067a617bf15680b4fcf64aa453b388bd7fe987
                                                                                                    • Opcode Fuzzy Hash: 6fcd7899351a49602c3cb1180c57e5bb903d819479aebac0171d2e55ee97e8cb
                                                                                                    • Instruction Fuzzy Hash: 78E13621A0E7864FE756A72858622B97BE1EF57390F1441BFC58AC71D3DF1C680B834A
                                                                                                    Function 00007FF848DC6EAC Relevance: .4, Instructions: 445COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b4194a04dd7b49b8c86dd08a54389f68548e315f87007e6aef00964b382c30b
                                                                                                    • Instruction ID: f76e4dfe39c68a47c394e1a5b9db01dd638d384fac031a1574f09965f9008dac
                                                                                                    • Opcode Fuzzy Hash: 7b4194a04dd7b49b8c86dd08a54389f68548e315f87007e6aef00964b382c30b
                                                                                                    • Instruction Fuzzy Hash: 75C1F430F1DA498FDB95FB3C945A2793BE2FF99690B0501BAD04DC7296DF28AC068345
                                                                                                    Function 00007FF848DB09FF Relevance: .4, Instructions: 443COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0346eee3f004898c891fd84236fffd21699ecc9876099b2a0017e769ee5ffd2d
                                                                                                    • Instruction ID: 04fffc93e7e00f406a693d028b549ea6bf7cee4f8ab4aab8452c37ccfe1cd54b
                                                                                                    • Opcode Fuzzy Hash: 0346eee3f004898c891fd84236fffd21699ecc9876099b2a0017e769ee5ffd2d
                                                                                                    • Instruction Fuzzy Hash: 62F16A30A0E64A9FEB99FB68C4557ADB7E1EF54350F5001B9D04AC7692CF2CAC86CB04
                                                                                                    Function 00007FF848DBC0E0 Relevance: .4, Instructions: 427COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 492ae7c521ccbf640f44b308c2ba969e9aa3d5d34807c2e69c84e097edcc4c4b
                                                                                                    • Instruction ID: 06f9fd429c4763db5aee7f8d248decb507796736335b13ba59db352c7a3974fa
                                                                                                    • Opcode Fuzzy Hash: 492ae7c521ccbf640f44b308c2ba969e9aa3d5d34807c2e69c84e097edcc4c4b
                                                                                                    • Instruction Fuzzy Hash: D8B12322F0EC1A4FF6A9A66C646937923C1FBA86D1F6001BBC45DC3295EE189C4A4345
                                                                                                    Function 00007FF848DB6CD0 Relevance: .4, Instructions: 408COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1fdabc027f1df5d7b3b7fd7c0db0fd2f0a33ab23962d55a890550460263f570d
                                                                                                    • Instruction ID: cfe3ef4ceca066c8be73d43ccea4a68776a2367f63fd05208a2a16001e963312
                                                                                                    • Opcode Fuzzy Hash: 1fdabc027f1df5d7b3b7fd7c0db0fd2f0a33ab23962d55a890550460263f570d
                                                                                                    • Instruction Fuzzy Hash: 6DC1F530A0DA498FDB94FB2C98456B97BE1FF99390F0401BEE44AC7296DF24EC458785
                                                                                                    Function 00007FF848DC0FE6 Relevance: .4, Instructions: 405COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1acfaede49b90e1e48dcbf49902c6b9bf314a29ff2fd0b932c92d95cd3e1baf7
                                                                                                    • Instruction ID: c442e253bbd72ce68ef280d491a33102a9b3d8550d9c813719763d5497c95b27
                                                                                                    • Opcode Fuzzy Hash: 1acfaede49b90e1e48dcbf49902c6b9bf314a29ff2fd0b932c92d95cd3e1baf7
                                                                                                    • Instruction Fuzzy Hash: 42C11731E0EA9A8FEB95EB2894557B47BE1EF592D0F0801B9D54DC72D3DF28980AC305
                                                                                                    Function 00007FF848DB454D Relevance: .4, Instructions: 404COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d943e0e874155a438fb9a6303e13cfd6ca929bd88c3389fadcca2f6df49c3b8
                                                                                                    • Instruction ID: 5cf77d642785751003ecfb797f1fcb83c83cc81e2b8442f9eb2992aba163bd0e
                                                                                                    • Opcode Fuzzy Hash: 6d943e0e874155a438fb9a6303e13cfd6ca929bd88c3389fadcca2f6df49c3b8
                                                                                                    • Instruction Fuzzy Hash: 7BC13832E0EA594FE755FA6DE8842F87791EF853B4F0402B7C548CB197DB24A84A83D4
                                                                                                    Function 00007FF848DB7D58 Relevance: .4, Instructions: 391COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d5c378fed5db6f0ed1ba42ddd22a002f90773c61e5e77859cccd8173aea96db
                                                                                                    • Instruction ID: c4bf722ce349e4aa30a2086c5ab91da4d27743375e3ccee807db3db450192963
                                                                                                    • Opcode Fuzzy Hash: 9d5c378fed5db6f0ed1ba42ddd22a002f90773c61e5e77859cccd8173aea96db
                                                                                                    • Instruction Fuzzy Hash: 2CB13631B1D9495FEB98FA2C984677937D1FF98780F0001BAD94EC3297DE24AC4A8385
                                                                                                    Function 00007FF848DBD35F Relevance: .4, Instructions: 363COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7c8880002208dbbd97e2f20904071dd3dae815627203ac4616bb0f75457f2429
                                                                                                    • Instruction ID: 67c15eb995569eb81d4dc18731971d8d99df4c90119ce37c5bb95693e413624d
                                                                                                    • Opcode Fuzzy Hash: 7c8880002208dbbd97e2f20904071dd3dae815627203ac4616bb0f75457f2429
                                                                                                    • Instruction Fuzzy Hash: FFB1C630A1DD494FEB98FB288059BB477E1EF64780F0441BAD40EC729BDE29EC498785
                                                                                                    Function 00007FF848DBCA60 Relevance: .3, Instructions: 315COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cef8286b3ab476a693a42d9810cdcfc82a8053af80eb4b530a49d4deb130c41e
                                                                                                    • Instruction ID: 3e5de3ed51be6bdf6920d3eeef4c45629b3a30c52338e15626bc18561de42087
                                                                                                    • Opcode Fuzzy Hash: cef8286b3ab476a693a42d9810cdcfc82a8053af80eb4b530a49d4deb130c41e
                                                                                                    • Instruction Fuzzy Hash: 0A812831B1DD1A0FE6A4F71CA4597B973D2FFA83A0F0501BAE41DC3296DE199C468389
                                                                                                    Function 00007FF848DBB4C4 Relevance: .3, Instructions: 307COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fc974a0c510ef4062be912e15bb649c4ba982fbdc531e746e7ceb12289c1dc62
                                                                                                    • Instruction ID: 8cbd9089a4971d22279370f7ac7622d21f102ed883fba16956cefde6a58688b3
                                                                                                    • Opcode Fuzzy Hash: fc974a0c510ef4062be912e15bb649c4ba982fbdc531e746e7ceb12289c1dc62
                                                                                                    • Instruction Fuzzy Hash: 42913330A1DB4A4FD758EE2894856B673E1FFA5350F50067ED08AC3286EF29F8468785
                                                                                                    Function 00007FF848DBF604 Relevance: .3, Instructions: 306COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 81090b05ce20c47a4c6ddaee5ef7b46688f42c206a199fd786aa046aa96a6aa2
                                                                                                    • Instruction ID: f710ac4058d01ee421209ee3b3e7d19eecff02bf60521c10be27662c6e124631
                                                                                                    • Opcode Fuzzy Hash: 81090b05ce20c47a4c6ddaee5ef7b46688f42c206a199fd786aa046aa96a6aa2
                                                                                                    • Instruction Fuzzy Hash: DB21397290DFC68FE754F6288859775B7E0FFA4360F04057AC889C31A1DB28EC458346
                                                                                                    Function 00007FF848DCB784 Relevance: .3, Instructions: 305COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4fc1598376acb29a42159a160905f4bad15d9e2028d9cd41b239ce3784983deb
                                                                                                    • Instruction ID: 2b5c459d66d643407c0ff3b0e12b42830fa99ab4b5c98e63d13edf9fc78ca5df
                                                                                                    • Opcode Fuzzy Hash: 4fc1598376acb29a42159a160905f4bad15d9e2028d9cd41b239ce3784983deb
                                                                                                    • Instruction Fuzzy Hash: A6913331A1DB4A4FD798EE2894856B277D0FF953A0F10467ED08AC3296DF38F8468785
                                                                                                    Function 00007FF848DC269C Relevance: .3, Instructions: 298COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 51891f680e3526f5106d53355048b34a1254585e74161361e8391f9d7301f52a
                                                                                                    • Instruction ID: 260c06745019e3665fe84b4f46590a9d31dedcd81222b5afffaaad5382ca2f91
                                                                                                    • Opcode Fuzzy Hash: 51891f680e3526f5106d53355048b34a1254585e74161361e8391f9d7301f52a
                                                                                                    • Instruction Fuzzy Hash: 37818A22E1EA560FE651FA2D94A46F937D0FF507E0F0401B7D089C71D3CF18A80A839A
                                                                                                    Function 00007FF848DCBAC5 Relevance: .3, Instructions: 287COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2be52c5c40b7f17691ceb833e0cb046acd7d6c5b0d520b01558f784fe2c20be3
                                                                                                    • Instruction ID: f8784eed1b20e4087c89db666d0452019422acceba55f3bc86770cbd162b7c2b
                                                                                                    • Opcode Fuzzy Hash: 2be52c5c40b7f17691ceb833e0cb046acd7d6c5b0d520b01558f784fe2c20be3
                                                                                                    • Instruction Fuzzy Hash: 8A81483190EA4A4FE359EB28984567077E0FF563A0F1806BAD089C71A7DE29F84BC745
                                                                                                    Function 00007FF848DB595D Relevance: .3, Instructions: 285COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 81fbd088b87d174a2ad3e0aa8605512ac5fbc91bf8de64c02fce8bd01eaab49a
                                                                                                    • Instruction ID: 3492872b0d8fcab9d72407f3f32990b3c65986a5033a0b3964574df2ef8dd473
                                                                                                    • Opcode Fuzzy Hash: 81fbd088b87d174a2ad3e0aa8605512ac5fbc91bf8de64c02fce8bd01eaab49a
                                                                                                    • Instruction Fuzzy Hash: C5813872D1DE869FE668F62C84597B9B3E1FFA4360F4406B9C449C3192DB2CE8468345
                                                                                                    Function 00007FF848DBF5FA Relevance: .3, Instructions: 279COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dfcdac346273c36506fcd8765a3191fe0e50b298b0aed241bf302f54d55f6084
                                                                                                    • Instruction ID: 6530eff662727a9f11b4cb0ca24446dfef2ffab2ff6e78f1cd94aa5a4937bedf
                                                                                                    • Opcode Fuzzy Hash: dfcdac346273c36506fcd8765a3191fe0e50b298b0aed241bf302f54d55f6084
                                                                                                    • Instruction Fuzzy Hash: 95216B7290CF898FD754F628885A7B5B7E1FFA8360F04057AD489C3191DF28E8458347
                                                                                                    Function 00007FF848DC26CC Relevance: .3, Instructions: 267COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7d20870a4009e518307e5ce6d30ffc7aa7ed721aa39b7bdf470834a2d48bb377
                                                                                                    • Instruction ID: 5670d12cac0753d56746762ea111a548bfbfd2ecbc6265a5fddeee5295b41217
                                                                                                    • Opcode Fuzzy Hash: 7d20870a4009e518307e5ce6d30ffc7aa7ed721aa39b7bdf470834a2d48bb377
                                                                                                    • Instruction Fuzzy Hash: 58716631E1E95A4FE694FA2DA0A56F937D1EF547E0F000177E08DC71D7DF18A80A829A
                                                                                                    Function 00007FF848DB9430 Relevance: .3, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a5ff2fa008e56c879972579f40550e787815acb16bbaaf816bdc4fccf7628efc
                                                                                                    • Instruction ID: bf09654c3fa544c5e8fc2c9ab3aa5aaa460733ad150d435a44651134882281f2
                                                                                                    • Opcode Fuzzy Hash: a5ff2fa008e56c879972579f40550e787815acb16bbaaf816bdc4fccf7628efc
                                                                                                    • Instruction Fuzzy Hash: E8715730A1DB8A4FD358EE2894866B677E0FF65350F50067ED08BC3296DF25F8468785
                                                                                                    Function 00007FF848DC26F2 Relevance: .3, Instructions: 256COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 548e5141d3d9c4d375f8c9799433c74b31128e8ef07c050d59ffbae901b78a16
                                                                                                    • Instruction ID: 0d1df0c430cd7f60af23cc3750e738983a71382bf5ed87b2d686bf445188224e
                                                                                                    • Opcode Fuzzy Hash: 548e5141d3d9c4d375f8c9799433c74b31128e8ef07c050d59ffbae901b78a16
                                                                                                    • Instruction Fuzzy Hash: CC716731E1D95A4FE695FA2D94956B937D1EF647D0F0001BAE049C31D7CF18A80A838A
                                                                                                    Function 00007FF848DC26CA Relevance: .2, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 18e74a47fa17161522f210138eff7ead76fda66bca0e2e884e8ec792801929d9
                                                                                                    • Instruction ID: c0e849c09d6ae43f82ba78c5148c08f6527d2a3922ae46f994314825755f1adb
                                                                                                    • Opcode Fuzzy Hash: 18e74a47fa17161522f210138eff7ead76fda66bca0e2e884e8ec792801929d9
                                                                                                    • Instruction Fuzzy Hash: 82616731A1D95A4FE694FA2D90956B937D1EF547E0F0001BBE04EC31D7CF18A80A838A
                                                                                                    Function 00007FF848DB97B0 Relevance: .2, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d579aed60a3c6786d07611c0e0132ed4057de6765554c5c0bc2cd7108899a7a2
                                                                                                    • Instruction ID: 9afc2d2de62af554c54ace12cf23d41fdb9b9cd8a4238e6c8b534a029c27ba54
                                                                                                    • Opcode Fuzzy Hash: d579aed60a3c6786d07611c0e0132ed4057de6765554c5c0bc2cd7108899a7a2
                                                                                                    • Instruction Fuzzy Hash: A151E832B0EE0A0FEB98F51CA84677577D1EFA93A0F44017AD44DC3296EE1AEC464784
                                                                                                    Function 00007FF848DC27AC Relevance: .2, Instructions: 242COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 513f8b69328e0f711a4ec82a7105063d720c2662912fb9864fa50cf8fc6d24a2
                                                                                                    • Instruction ID: a2338201c6c700199dc282a01845020d18299c316a6b7cd362da945bb062019d
                                                                                                    • Opcode Fuzzy Hash: 513f8b69328e0f711a4ec82a7105063d720c2662912fb9864fa50cf8fc6d24a2
                                                                                                    • Instruction Fuzzy Hash: F6612731F1D95A4FE694FA2DA0956F937D1EF547E0F000176E04DC7297DF18A80A839A
                                                                                                    Function 00007FF848DC276C Relevance: .2, Instructions: 235COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24eded6a39ea40e843c3944c78bfb0c3bb0e47dbb6fba61e02463817c8a8a8e4
                                                                                                    • Instruction ID: be75760e508a672ff6a7ffe29e45aa7442e9901198556e84924c604330d8743d
                                                                                                    • Opcode Fuzzy Hash: 24eded6a39ea40e843c3944c78bfb0c3bb0e47dbb6fba61e02463817c8a8a8e4
                                                                                                    • Instruction Fuzzy Hash: 14611631E1D95A4FEA94FA2D94956B937D1EF547D0F00017AE04EC31D7CF18A80A8389
                                                                                                    Function 00007FF848DC9008 Relevance: .2, Instructions: 233COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2266a594fedc18e1a314b9056af55be3054c9f04242fd44e4741aa3813be3062
                                                                                                    • Instruction ID: dfd931b2eae4f8d746382f0cddee8500860c96ad0d13096e04e6fb41421a80fe
                                                                                                    • Opcode Fuzzy Hash: 2266a594fedc18e1a314b9056af55be3054c9f04242fd44e4741aa3813be3062
                                                                                                    • Instruction Fuzzy Hash: 9171F621E0EAC64FE356AA3C68593747BE1EF56690F1801FEC0C9C7297DA28984EC345
                                                                                                    Function 00007FF848DCB28C Relevance: .2, Instructions: 232COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 61c287a6890b557d32e7af5abd3c4cd0b536fd33cc289d4f49ed51a4859bfcac
                                                                                                    • Instruction ID: e9f1aeb55e9448e598e8ebc97532efa1436d7cf64ec6da8c67d9b013f9ae8bd0
                                                                                                    • Opcode Fuzzy Hash: 61c287a6890b557d32e7af5abd3c4cd0b536fd33cc289d4f49ed51a4859bfcac
                                                                                                    • Instruction Fuzzy Hash: 0E61E430D1EA494FE795EB2888557757BE1EF55380F0401FAD04DC7297DE28EC468715
                                                                                                    Function 00007FF848DC280C Relevance: .2, Instructions: 230COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 43f1d06ac29ec16d454cc9a3f70045c1af214181bf206edda073b5cb419da401
                                                                                                    • Instruction ID: 107be23e2686003e6c54feb982a1484b786de7bcff1f2db11900962b00c82ab1
                                                                                                    • Opcode Fuzzy Hash: 43f1d06ac29ec16d454cc9a3f70045c1af214181bf206edda073b5cb419da401
                                                                                                    • Instruction Fuzzy Hash: 4F612831B1D95A4FE794FA2D90956F937D1EF947E0F000176E089C7297DF18A80A8399
                                                                                                    Function 00007FF848DB8F25 Relevance: .2, Instructions: 223COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2430ff6374bca0f63df53c26b31d3a7927d2321cc95776ab891d0ffa7f1757d1
                                                                                                    • Instruction ID: d573a9730e6cf7f28165a6646f1a03a42cdfcd28b663aef1973624642a20add4
                                                                                                    • Opcode Fuzzy Hash: 2430ff6374bca0f63df53c26b31d3a7927d2321cc95776ab891d0ffa7f1757d1
                                                                                                    • Instruction Fuzzy Hash: 75517D31B0ED4A4FEAE9EA1C9494B7063D2FF683A1B5405BAD40DC72A6DE19DC458384
                                                                                                    Function 00007FF848DB47C8 Relevance: .2, Instructions: 222COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: adae994e4d475e5fe188aab98518ee7535baa4a6e9c0f8b11d61cde9299e76ba
                                                                                                    • Instruction ID: 5ad2bc6b17f889d9c46a28f413da3c8b21d82106848907b24dcdd4951e9ed4f2
                                                                                                    • Opcode Fuzzy Hash: adae994e4d475e5fe188aab98518ee7535baa4a6e9c0f8b11d61cde9299e76ba
                                                                                                    • Instruction Fuzzy Hash: 2F61E43061DB454FD758EB28C495AB5B7E1FF94780F10467ED04AC72A2DF28F84A8B85
                                                                                                    Function 00007FF848DB7D48 Relevance: .2, Instructions: 215COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d5c5965a1a9045686b404e63b9c29653a18d781197ac7e90e7c6a2e27acda0be
                                                                                                    • Instruction ID: 6aec2c50de951e4dd1630d1414894bca521e1577d073c66de7478a2f2edfcabb
                                                                                                    • Opcode Fuzzy Hash: d5c5965a1a9045686b404e63b9c29653a18d781197ac7e90e7c6a2e27acda0be
                                                                                                    • Instruction Fuzzy Hash: 89517831E0E95A4FE7A4E62C94593757BD1EF5E2E0F1402FAD04DC72A6EE189C0B8345
                                                                                                    Function 00007FF848DB9440 Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2877ac4efecb97ea101d77a6d5b63f07bd88a5a5dad6fa7a885c45f780e91459
                                                                                                    • Instruction ID: bee74a0167800e1d8e4492ca2d6c05deeeb40acaf8ebffae6f07af9cc3d1b1db
                                                                                                    • Opcode Fuzzy Hash: 2877ac4efecb97ea101d77a6d5b63f07bd88a5a5dad6fa7a885c45f780e91459
                                                                                                    • Instruction Fuzzy Hash: 67512230A1DE0A8FE758AB1DD885A7573E0FFA9350B540679D44EC3292DE29F8878784
                                                                                                    Function 00007FF848DC1D91 Relevance: .2, Instructions: 200COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2095d352008dd6ae5df5421d1c9bf903b19d0d632a9a59d8aa58a4eb06ab8642
                                                                                                    • Instruction ID: a45072f80bf8a52a924316e28ebc87bc570a8eb64a2d80af6351e0bf3714b1d9
                                                                                                    • Opcode Fuzzy Hash: 2095d352008dd6ae5df5421d1c9bf903b19d0d632a9a59d8aa58a4eb06ab8642
                                                                                                    • Instruction Fuzzy Hash: E351BE31A0E9594FEB95FA2C888477537D1EF99791F1001BAD54EC7297CE28AC4AC384
                                                                                                    Function 00007FF848DC27FA Relevance: .2, Instructions: 200COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf63f909555b16e6c70866ae849e567a6458819dd731da0a387902d5267eaee8
                                                                                                    • Instruction ID: fc15dd187e5154161d2907c85a0a80f20022f2fb3481058fbd4307cf41173476
                                                                                                    • Opcode Fuzzy Hash: bf63f909555b16e6c70866ae849e567a6458819dd731da0a387902d5267eaee8
                                                                                                    • Instruction Fuzzy Hash: 1751E631B1D9594FDBA4FA1D90556F937D1EF98790F0001BAE04EC7296CF28E849839A
                                                                                                    Function 00007FF848DC2884 Relevance: .2, Instructions: 193COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 501aca18bc7c40822b18cf3c96dff6350094625845fa750a868f60aed02730e0
                                                                                                    • Instruction ID: ab88b79e2704921d848e7e207cfc56f8a144c68e42526f7a100d22637b7cb4d5
                                                                                                    • Opcode Fuzzy Hash: 501aca18bc7c40822b18cf3c96dff6350094625845fa750a868f60aed02730e0
                                                                                                    • Instruction Fuzzy Hash: C6510531B1D9594FDBA4FA1DA0556F937D1EF98790F0001BAE44EC3297CF28E845839A
                                                                                                    Function 00007FF848DB6738 Relevance: .2, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a07887f4238bdf267bc2076f6602ce3faca24c59ea34fad268094ca9c881a524
                                                                                                    • Instruction ID: e193b2551ff828bd17bf4ea4552209ae231fb270a902fe924032c65a8d523be6
                                                                                                    • Opcode Fuzzy Hash: a07887f4238bdf267bc2076f6602ce3faca24c59ea34fad268094ca9c881a524
                                                                                                    • Instruction Fuzzy Hash: 09510A76D0E68AAFE745F76CA8662E87BF0FF15250F4402BAC049871D3DF1C580A8755
                                                                                                    Function 00007FF848DCAFFA Relevance: .2, Instructions: 177COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a696326c7093fc0343dd4b0d4aa50321057ce1f02e830fb994c90124bac16ad2
                                                                                                    • Instruction ID: d7c2ce1a84395e3e19c884c4ccbc4985751531c5acfd701bf0d1a1774e89231a
                                                                                                    • Opcode Fuzzy Hash: a696326c7093fc0343dd4b0d4aa50321057ce1f02e830fb994c90124bac16ad2
                                                                                                    • Instruction Fuzzy Hash: 2F51C271D1D95D8FE769EE6898557B8B7B0FF54380F4000BAD00DE3292DF34988A8B15
                                                                                                    Function 00007FF848DC162F Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91ce4b303b12465741d1b33be7ef1a64e0f8f712c2a7665e3805178bf4b6f4a8
                                                                                                    • Instruction ID: 0b422def715c232baf05908d8c6c844f34d4dd679cc2effd46abe491ae1fb78c
                                                                                                    • Opcode Fuzzy Hash: 91ce4b303b12465741d1b33be7ef1a64e0f8f712c2a7665e3805178bf4b6f4a8
                                                                                                    • Instruction Fuzzy Hash: 9141FB31F1E95A8FDB84EB2CA85567877E1FF9C694F0802BAD04DC3296DF285C068385
                                                                                                    Function 00007FF848DC28E8 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ee0c4409cd4253f3a48563b84c2a9de7c0146d710944cdb4dc9aec5f4cea8824
                                                                                                    • Instruction ID: f5cb30b886145b6854e6511af31d6e6a198e8a6d71e340f0a7e21a0ba294cce2
                                                                                                    • Opcode Fuzzy Hash: ee0c4409cd4253f3a48563b84c2a9de7c0146d710944cdb4dc9aec5f4cea8824
                                                                                                    • Instruction Fuzzy Hash: 7141A020B1D9594FDBA4FA1D90557B937D2EFA8780F5001BAE44EC3297CF28E845878A
                                                                                                    Function 00007FF848DBF021 Relevance: .2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 589e751381d2460eef64de93e86a93a307ff9e0f06d0a43d1425f9b5962f88b7
                                                                                                    • Instruction ID: 829f29efc4bc9b77efc6c9eda6834dc4d539ec6979eeb11935d76b5e3ee8bc4d
                                                                                                    • Opcode Fuzzy Hash: 589e751381d2460eef64de93e86a93a307ff9e0f06d0a43d1425f9b5962f88b7
                                                                                                    • Instruction Fuzzy Hash: 7241F420A0EA4A1FE789EB2C981977577D1EFA9350F4401FEE44DC7293DE1CAC468344
                                                                                                    Function 00007FF848DB5A71 Relevance: .2, Instructions: 155COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 98d76acd089f19a71dc35aca95835e30455c25046c59e1cafb6c9b8f98f741e9
                                                                                                    • Instruction ID: 595865ae170dbda6ae98d0e1a1267c79e2a1e5c475009e14a74e36c96447bd7f
                                                                                                    • Opcode Fuzzy Hash: 98d76acd089f19a71dc35aca95835e30455c25046c59e1cafb6c9b8f98f741e9
                                                                                                    • Instruction Fuzzy Hash: 1C41C331E1E94E4FE798EB2CA45577573E1FFA8390F4502BAD04DC3296DE28E8068345
                                                                                                    Function 00007FF848DB6DFB Relevance: .2, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 48aa5d406ea6962b0b1b23630b6f6073ef1c998e21976cce46fde7b152fd77f0
                                                                                                    • Instruction ID: 50498ee83d4ce8ef0a9fe18d78c5cfff55941c07d22c5a9461e1f39ad033da40
                                                                                                    • Opcode Fuzzy Hash: 48aa5d406ea6962b0b1b23630b6f6073ef1c998e21976cce46fde7b152fd77f0
                                                                                                    • Instruction Fuzzy Hash: C3411A63E0E9961FF651F62CBC992F567D1FF616A4F084277D048C7187DE18180B8395
                                                                                                    Function 00007FF848DC4CDA Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e2b09f605882a61a2b9af35495401391c95375f380d38920e4eb9fd1f1627ec9
                                                                                                    • Instruction ID: 720dfe6550072a2e92eb46435d5f3c67bff88bf4ad90f5b8c238df20b21ed024
                                                                                                    • Opcode Fuzzy Hash: e2b09f605882a61a2b9af35495401391c95375f380d38920e4eb9fd1f1627ec9
                                                                                                    • Instruction Fuzzy Hash: 0C411720A0EA994FD796EB3C44643743FE2EF562D0F0941FBD089CB1E7DA189C498316
                                                                                                    Function 00007FF848DBDC60 Relevance: .1, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f499680f84fa837b747205fdc47f1acc584b3b0c2982ea4d880435b0ee56880
                                                                                                    • Instruction ID: 703cea9b99148a659f17602ddf6cc84fb03899fba25b83f9976e772b68f0814e
                                                                                                    • Opcode Fuzzy Hash: 4f499680f84fa837b747205fdc47f1acc584b3b0c2982ea4d880435b0ee56880
                                                                                                    • Instruction Fuzzy Hash: 0041A33061DA868FDBA5EB2CC084F7177E1EF68380F5845B9D08EC76A6CE29E845C744
                                                                                                    Function 00007FF848DC5B40 Relevance: .1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2608fdff44cae1114e32bb3c49a009e7266c5b255fcd4aead56977f74200cd1e
                                                                                                    • Instruction ID: 3ea63875d7d15e158d199e397833982193e61edc97784ef9539609eab2696f5f
                                                                                                    • Opcode Fuzzy Hash: 2608fdff44cae1114e32bb3c49a009e7266c5b255fcd4aead56977f74200cd1e
                                                                                                    • Instruction Fuzzy Hash: A0410E30A1DE064FE758EA38D4957B6B7E2FF94380F04457DD08AC3295DB29B886C784
                                                                                                    Function 00007FF848DB8478 Relevance: .1, Instructions: 140COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2fb96348594496595902c4a787a39e2541652617dca510da57e6be43898e5222
                                                                                                    • Instruction ID: d62ddf978a8f99b449a1723ae55eb9e21f21b97adb2693ae08e0c05a45066e33
                                                                                                    • Opcode Fuzzy Hash: 2fb96348594496595902c4a787a39e2541652617dca510da57e6be43898e5222
                                                                                                    • Instruction Fuzzy Hash: 58318632F1D91A4FF794BA2CA4093BA73D0FBA8791F01017BE45DD3295DF188846438A
                                                                                                    Function 00007FF848DC7728 Relevance: .1, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5632e2192da4a29de3474aa7d22153d459311797ee19a14c7dbc8aff3913e0f0
                                                                                                    • Instruction ID: fc5cdf7f41eb25b27b314f0707bc44020a3983a5729e29f787dbc057de1978f7
                                                                                                    • Opcode Fuzzy Hash: 5632e2192da4a29de3474aa7d22153d459311797ee19a14c7dbc8aff3913e0f0
                                                                                                    • Instruction Fuzzy Hash: F741CE30A1EA498FD759EB2884947B577E1EF5A390F5440BDC08AC72D2CF29B84AC749
                                                                                                    Function 00007FF848DB8270 Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 29d8dc175ea69e859d172f77c960a398ef3870e1a8d0f869c2a0973663f77df5
                                                                                                    • Instruction ID: 697dd0dd4b162fd804d8d39b5e94c93b9a62a60c8760261a38b2035208fe8696
                                                                                                    • Opcode Fuzzy Hash: 29d8dc175ea69e859d172f77c960a398ef3870e1a8d0f869c2a0973663f77df5
                                                                                                    • Instruction Fuzzy Hash: D8414530A0EA8A9FE799F73C68466B47BD1FF653A0B5401BED049C7293DE1CAC468344
                                                                                                    Function 00007FF848DB14D2 Relevance: .1, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b0b9557b71fd75e67655073a58539cf205b0f35a7ae9b7e967018d3af111bcf0
                                                                                                    • Instruction ID: c8513621e0079aadd76606a9ca8d3cc2f2406da16aaaea0f04cc464332941e18
                                                                                                    • Opcode Fuzzy Hash: b0b9557b71fd75e67655073a58539cf205b0f35a7ae9b7e967018d3af111bcf0
                                                                                                    • Instruction Fuzzy Hash: A541B53190EA8A8FDB55E72C84557A9BBF0EF69350F4401BAD04DC71E2CF289C45C791
                                                                                                    Function 00007FF848DC44A1 Relevance: .1, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5723682acb35142bcfe5303c6aadb7890d725e66c6d29c70e97d7c161afb553e
                                                                                                    • Instruction ID: 165a1bb36239c3d596d07122b2e49029c16f7559aec0b24a233eb056f8ad9e48
                                                                                                    • Opcode Fuzzy Hash: 5723682acb35142bcfe5303c6aadb7890d725e66c6d29c70e97d7c161afb553e
                                                                                                    • Instruction Fuzzy Hash: 1031D921E1FE864FE395E67D28693743BD2EF55694B0901FAC488C72AADA185C0AC305
                                                                                                    Function 00007FF848DCEE27 Relevance: .1, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e6698264315efcdb3839bf948038526bd830606c6cf9bc86f6e8f1388b9ab017
                                                                                                    • Instruction ID: 7fe0d395b45e83bb2248a2fe37bcd4047fe7988c3e38452a39d304c18445a1ec
                                                                                                    • Opcode Fuzzy Hash: e6698264315efcdb3839bf948038526bd830606c6cf9bc86f6e8f1388b9ab017
                                                                                                    • Instruction Fuzzy Hash: D441C530E1E94A8FDB95FB6888563B977E1EF953A0F4401BAE009C7292DF2C9C498741
                                                                                                    Function 00007FF848DC4C50 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 27bbf64851178d0cf045d75793efccd771569da8b36d67b49c072b680380f2f8
                                                                                                    • Instruction ID: 7e251003dd4dcfb082336f57b91a2f12b8cf602c391f6224b0535237377c70d3
                                                                                                    • Opcode Fuzzy Hash: 27bbf64851178d0cf045d75793efccd771569da8b36d67b49c072b680380f2f8
                                                                                                    • Instruction Fuzzy Hash: B231F83160EAD94FD7A6EB3858646B43FE1EF43290F0A41EBD489CB1E7DA085C49C356
                                                                                                    Function 00007FF848DC7520 Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1d4506b9fb0a03b72e802c54db4ab43bfb4ef3295b4ea5125c56262111ce8882
                                                                                                    • Instruction ID: 8615586c703348cd347ad2a166d7d55e451da7203c340f2e355053c8f6da0bf3
                                                                                                    • Opcode Fuzzy Hash: 1d4506b9fb0a03b72e802c54db4ab43bfb4ef3295b4ea5125c56262111ce8882
                                                                                                    • Instruction Fuzzy Hash: 2D31E02091EB894FD756E73888196657BE1EF46380F0A40FAD089C71E3DF28AC0AC359
                                                                                                    Function 00007FF848DB48ED Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
                                                                                                    • Instruction ID: cd2a5ff2eaebd148ab8c2e3dd2fa8e2c7b35ac5a0de54a57b8a6383451079bc2
                                                                                                    • Opcode Fuzzy Hash: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
                                                                                                    • Instruction Fuzzy Hash: FD316E30A1EA198FDB58AA2DC08477573E1FF59390F60417DD05FC3291CF25B84A8789
                                                                                                    Function 00007FF848DCF271 Relevance: .1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf48783586b1b5aaeb4894f4805bcc5fe11d02faccb853cf4128360f17a90f1c
                                                                                                    • Instruction ID: 71f700dfac37308ada78b5508726b3d8b913b782291cdf7fc7b89e7a0e61ebc0
                                                                                                    • Opcode Fuzzy Hash: cf48783586b1b5aaeb4894f4805bcc5fe11d02faccb853cf4128360f17a90f1c
                                                                                                    • Instruction Fuzzy Hash: 8C31A335A1D99A5FEB85F73C40257EDBBE0EFA5390F4801B6C049C7192DB5C9C4A8391
                                                                                                    Function 00007FF848DB97E0 Relevance: .1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d518cf82143484b7b1d370a52cb16a648bee618e757df5ea7e7da0218385c83
                                                                                                    • Instruction ID: 553e4b970c11c4fee71d676de997ec0b6e6411778c472bafbdb5ee8c1e292b38
                                                                                                    • Opcode Fuzzy Hash: 9d518cf82143484b7b1d370a52cb16a648bee618e757df5ea7e7da0218385c83
                                                                                                    • Instruction Fuzzy Hash: DF21A122B0ED0E4FEAD8F51D94657B923C2FBA83A1F54017AD41DC3286DF29DC464344
                                                                                                    Function 00007FF848DB3F69 Relevance: .1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24dd576b4080c7a66ab0f27f29be82a2c0cc722ff39c0fce0eebebb20bef4401
                                                                                                    • Instruction ID: 3dbe7447bc71cd74ea4336f970c0004d6d1ca95098a3bff27e0cdf7d699ede0f
                                                                                                    • Opcode Fuzzy Hash: 24dd576b4080c7a66ab0f27f29be82a2c0cc722ff39c0fce0eebebb20bef4401
                                                                                                    • Instruction Fuzzy Hash: D631B5318CE1911FD30AA3246C576F27BE49F56365F1A01E7D048CB5E3C91E6587C3A6
                                                                                                    Function 00007FF848DCF3B5 Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ea24b63823ea8f7baf90a01b5ae4d73f27f969ff759faad3de1c084d3c5668c
                                                                                                    • Instruction ID: 203097eb890d8fc052133cc37779f149b7e3e999912a872613d5b1d2258b953f
                                                                                                    • Opcode Fuzzy Hash: 8ea24b63823ea8f7baf90a01b5ae4d73f27f969ff759faad3de1c084d3c5668c
                                                                                                    • Instruction Fuzzy Hash: BC31687198F6895FD745FB7858162E9BBE4EF06360B4500FBD08ACB192DA5C1C4AC352
                                                                                                    Function 00007FF848DB109D Relevance: .1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7a28f07b49e299eb79da69c621ee928cbe661c6301bd2dfb5d6fe428e48e36f0
                                                                                                    • Instruction ID: 52fd97b868bc29dae578be675742203573343cab7450d45d34fc430503349a1d
                                                                                                    • Opcode Fuzzy Hash: 7a28f07b49e299eb79da69c621ee928cbe661c6301bd2dfb5d6fe428e48e36f0
                                                                                                    • Instruction Fuzzy Hash: C531DB6048F3C21FD79397B499645823FF99D87560B0E41EBD5C8CE4A7D68E484EC322
                                                                                                    Function 00007FF848DCCA31 Relevance: .1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 399689d682cda2ffa02ceb2afd569fba790e1a27fd7f0015d0eb6e21778da339
                                                                                                    • Instruction ID: 505eee3b637444518ab81a30281608b7ca05c75fefe9f91942cf5df80b7d3c8f
                                                                                                    • Opcode Fuzzy Hash: 399689d682cda2ffa02ceb2afd569fba790e1a27fd7f0015d0eb6e21778da339
                                                                                                    • Instruction Fuzzy Hash: C631E03190DB884FDB14EF189C0A6E9BFE4EF9A350F0401AFE889D3152D760A94987C3
                                                                                                    Function 00007FF848DB7DFB Relevance: .1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d8e2b46a7bf8d7e0e4146414cc4346abff71ae996dd30efd38c6d1289efaf135
                                                                                                    • Instruction ID: 842a094b8a7756618acd409772d71732fda5b3a0320fe7fd12815be5e047381d
                                                                                                    • Opcode Fuzzy Hash: d8e2b46a7bf8d7e0e4146414cc4346abff71ae996dd30efd38c6d1289efaf135
                                                                                                    • Instruction Fuzzy Hash: 2031A23190EA8E4FDB85EF288895BF97BE0FF69385F04017AD049D3192CB289849C794
                                                                                                    Function 00007FF848DC6DE1 Relevance: .1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0fa8c1d33e4f151ad73ee462acc9cb63fe2fd7421de09acb4023134053f845df
                                                                                                    • Instruction ID: 15f347a86602ae23aad9fc2fd791f24a9dfc74f69c51f7ef4cd40fbbc5382f39
                                                                                                    • Opcode Fuzzy Hash: 0fa8c1d33e4f151ad73ee462acc9cb63fe2fd7421de09acb4023134053f845df
                                                                                                    • Instruction Fuzzy Hash: 68214D31A0DA098FDF98EE5CA8557BC77E1FB98794F44027ED04ED3281CF25A8058789
                                                                                                    Function 00007FF848DC11A3 Relevance: .1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9a972064285ec66456fdb12a83349c26cfd7f515aa2ed3653df6affd027f85e9
                                                                                                    • Instruction ID: 7e2a25265d1eec78603ba393511207d6d7fd07caa50bf94af87eba101252836e
                                                                                                    • Opcode Fuzzy Hash: 9a972064285ec66456fdb12a83349c26cfd7f515aa2ed3653df6affd027f85e9
                                                                                                    • Instruction Fuzzy Hash: 3931B330E0E9598FEF88EB6CA4657A867D1EF5D394F4501B8D54DC32D2DF28984AC308
                                                                                                    Function 00007FF848DC9B66 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 70bd11b2c7923957200c1aba5ce97baea7bd132b2ddedf63459205d7d2ede65b
                                                                                                    • Instruction ID: 0cfa593d1c01b5b3d6e571a800e5563822e253439f15556641aed4fa4926c0f8
                                                                                                    • Opcode Fuzzy Hash: 70bd11b2c7923957200c1aba5ce97baea7bd132b2ddedf63459205d7d2ede65b
                                                                                                    • Instruction Fuzzy Hash: 9731F93091E949AFDB95EF18C889BA877E1FF58394F0101B9E40DD72A5DB38E849CB44
                                                                                                    Function 00007FF848DC6377 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2ae918540542f52f821f3450f1feb47532f82e6e430884bbfd61014454fa1b05
                                                                                                    • Instruction ID: b2358d2778398e21dd31bb713f384dfa57e7a91f0ece054e1e70b67bb39f61d0
                                                                                                    • Opcode Fuzzy Hash: 2ae918540542f52f821f3450f1feb47532f82e6e430884bbfd61014454fa1b05
                                                                                                    • Instruction Fuzzy Hash: D421D122A0EA195EE728755D7C4E6FD3B80DB957E1F08013FF04983192EE15781A41E9
                                                                                                    Function 00007FF848DC64B2 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 052faf6639776851e053bba55350ba9d3345a1cfdda75ec9b161536cf3b80d6b
                                                                                                    • Instruction ID: 97502e299afba308854bda1ad97c428c21fcfe00955b09d79d9877e3b70db86f
                                                                                                    • Opcode Fuzzy Hash: 052faf6639776851e053bba55350ba9d3345a1cfdda75ec9b161536cf3b80d6b
                                                                                                    • Instruction Fuzzy Hash: E9212B32F0DA094FE798EA1CB84A2B977D1EF953B1F14017FD14EC3192DF15A84A4649
                                                                                                    Function 00007FF848DB092D Relevance: .1, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 04935fa6cb61faac3d3789cffa1323f488e9bb179aed54dfbec0904cdc635cfa
                                                                                                    • Instruction ID: 964ed72d3ba1f12026084aaf304878a4052304f8a647b248a92d186070b7ae1f
                                                                                                    • Opcode Fuzzy Hash: 04935fa6cb61faac3d3789cffa1323f488e9bb179aed54dfbec0904cdc635cfa
                                                                                                    • Instruction Fuzzy Hash: 8331D13094E68A9FDB45FBB848562A9BBF0AF16760B8402BDC0898B292CB1C1C46C754
                                                                                                    Function 00007FF848DB1289 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 833ed571f618ef13b484b6049aafde915700bfa177739238f865e8d8b460331d
                                                                                                    • Instruction ID: 87f8dbb1b18376b7f2c216c253d5633806b7694b5d26cb670951021a72cc79aa
                                                                                                    • Opcode Fuzzy Hash: 833ed571f618ef13b484b6049aafde915700bfa177739238f865e8d8b460331d
                                                                                                    • Instruction Fuzzy Hash: 6821AF5194F7C25FE352A77818256A97FB0AF6B690B4941FBC088CB1ABE61C9C4DC312
                                                                                                    Function 00007FF848DBBE1D Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d4a97a1792ddc0005637726f3f328c77befd8811fe365c3eb1711ae928be8bb
                                                                                                    • Instruction ID: 785b1f9020ffd7e3087c96b78cd3a1ee15d2d4f81de761aa24f7b84a90adcd9c
                                                                                                    • Opcode Fuzzy Hash: 6d4a97a1792ddc0005637726f3f328c77befd8811fe365c3eb1711ae928be8bb
                                                                                                    • Instruction Fuzzy Hash: D3113831A0EA4A0FE748EA1C9846B757BD1EF65260F0402BED00CC3293DE2EE9068340
                                                                                                    Function 00007FF848DBDEE1 Relevance: .1, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8111ad7fc11c31185da288dffab9e2eb00e579bf04978302614295036a74158e
                                                                                                    • Instruction ID: 0b8f53e261f1243b7d721263e66e6b07b6d91525ed5d557cada3b179a7a3fe38
                                                                                                    • Opcode Fuzzy Hash: 8111ad7fc11c31185da288dffab9e2eb00e579bf04978302614295036a74158e
                                                                                                    • Instruction Fuzzy Hash: 42110672F0EDC94FE399A52D2C692742AC0EFA9641B1901FBD44DC72E6DE458C09C349
                                                                                                    Function 00007FF848DCEF99 Relevance: .1, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ea2259854745e9adca541c7b4bfefd8239bfc4b4505f9611807dd7c863a4ff1
                                                                                                    • Instruction ID: 0c85f4c79a24bcf93aa58296ec0bdb8ec57da7755a0d17fe8e56c8f948dda44c
                                                                                                    • Opcode Fuzzy Hash: 8ea2259854745e9adca541c7b4bfefd8239bfc4b4505f9611807dd7c863a4ff1
                                                                                                    • Instruction Fuzzy Hash: A411E632E1D98D4FEB90FA68A8156B97BE0FB99391F0401BAE40DC3192DB585C498746
                                                                                                    Function 00007FF848DBDF00 Relevance: .1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0264c41a37fe08a0fa8e8dd259d422261b349fae1748eee47e6b4d8a463a0034
                                                                                                    • Instruction ID: 0b381af767ebcfa0cf12bdb24706e6b50d8338f13fa93bc262b257db750b083c
                                                                                                    • Opcode Fuzzy Hash: 0264c41a37fe08a0fa8e8dd259d422261b349fae1748eee47e6b4d8a463a0034
                                                                                                    • Instruction Fuzzy Hash: 93112632F0FC894FE6D8A56D3C5927526C0EFAD651B1501BBE40DC32E6DE468C49C349
                                                                                                    Function 00007FF848DBBF7D Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5c5ec36e7b89122aef9454d98a122ae95ea46692944b326b8b80f19756ddef3
                                                                                                    • Instruction ID: d442f025df8480f4f131ebb6e69bb66a0b2036a2a24f513fb7517be9e8656206
                                                                                                    • Opcode Fuzzy Hash: c5c5ec36e7b89122aef9454d98a122ae95ea46692944b326b8b80f19756ddef3
                                                                                                    • Instruction Fuzzy Hash: 4A11E22150EB851FE762B27898466B53FE4EF66394B0A00FBE488C71A3DD095C868366
                                                                                                    Function 00007FF848DBD228 Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4eb357d43c73e25cee222ae7f43d1c5fa533b4781ce22b9ce69df4f407b69ff6
                                                                                                    • Instruction ID: 5a8bef65644fcb1745cbc1c17672f3662ca96deacc8ee84b2460e445c19e3836
                                                                                                    • Opcode Fuzzy Hash: 4eb357d43c73e25cee222ae7f43d1c5fa533b4781ce22b9ce69df4f407b69ff6
                                                                                                    • Instruction Fuzzy Hash: 6411D522A0D5955FE744FA6CE4A53F837A1EF61390F1840B6D48DCB157CE18A44A8364
                                                                                                    Function 00007FF848DCEFD1 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dcc1df84a35d6ff8c8063b110ab955fa54336e7fbdbc939a1b090c4bc5c44fbe
                                                                                                    • Instruction ID: 3a6405f8830f2744e5d1965eb253ec7b2e78f9cd017076dbe3c8b79299e2f6c8
                                                                                                    • Opcode Fuzzy Hash: dcc1df84a35d6ff8c8063b110ab955fa54336e7fbdbc939a1b090c4bc5c44fbe
                                                                                                    • Instruction Fuzzy Hash: B9114871D1E9881FE745FB389C566FA7BE0EB853A1F0402BBE008C3592CE1C5D4A8392
                                                                                                    Function 00007FF848DCF1E0 Relevance: .1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3cbca41e9f6a65a8072e0db9a51a1d7deb04672e01a2d6cd2d8584c2f77f64b8
                                                                                                    • Instruction ID: d909fa3b1dfce53e7852a47cd05f650e49e0c62a4c0b96df5649a4c9f164ac99
                                                                                                    • Opcode Fuzzy Hash: 3cbca41e9f6a65a8072e0db9a51a1d7deb04672e01a2d6cd2d8584c2f77f64b8
                                                                                                    • Instruction Fuzzy Hash: 6811E33089F24B8FD74AFAB458527E477E09F162B0F8005BCC84AC7992DB5C9C4AC219
                                                                                                    Function 00007FF848DBD2D8 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d3752b8a76b0510a04d8e4407512e9bf103330d155c09885ab175ef9fe4d6e0
                                                                                                    • Instruction ID: 5ce14d3030203df6880a3e4d9dc214350b58ee3722e8dbe8cacd1b3b63213f6c
                                                                                                    • Opcode Fuzzy Hash: 9d3752b8a76b0510a04d8e4407512e9bf103330d155c09885ab175ef9fe4d6e0
                                                                                                    • Instruction Fuzzy Hash: F501D631B0DD494FE7D4FA6D849977937E1EBA8341B0440BAD84DCB25BCE24EC4A8750
                                                                                                    Function 00007FF848DB0480 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bd9625597461d3c36a2d226683000be41e6b8e66c941fc67c898c7bd9e1034bc
                                                                                                    • Instruction ID: 2b9a469b938f1f38989fa07417f96fab3fc4c40c71d81d9c5b7b480e72e9de34
                                                                                                    • Opcode Fuzzy Hash: bd9625597461d3c36a2d226683000be41e6b8e66c941fc67c898c7bd9e1034bc
                                                                                                    • Instruction Fuzzy Hash: F9012402A1F06559EA10B26DB0B17F93B41DF462B8F0941B3E08C8A09BDE09684941F9
                                                                                                    Function 00007FF848DCF0EC Relevance: .1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1d4653209fa207001084860e6ecf41ff0949c188c84fe77581e0536e944ebdc7
                                                                                                    • Instruction ID: 1274765e47453b2f5729e9f61e787f830ffedc7b8101ccebba5efc9c3ea5f895
                                                                                                    • Opcode Fuzzy Hash: 1d4653209fa207001084860e6ecf41ff0949c188c84fe77581e0536e944ebdc7
                                                                                                    • Instruction Fuzzy Hash: 1711823090F587AFE786F37888162B927E09F456A0F4805F8C04AC7692DA2C5C09C311
                                                                                                    Function 00007FF848DB4ED0 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f296938ef483052bc30ebc84deac9a8ebe3890ecab72f989a8ccbab58376f0e
                                                                                                    • Instruction ID: c73258064cb1b76d998303b4eafb171bff64d9453159c82fa5bc534ab446314e
                                                                                                    • Opcode Fuzzy Hash: 4f296938ef483052bc30ebc84deac9a8ebe3890ecab72f989a8ccbab58376f0e
                                                                                                    • Instruction Fuzzy Hash: 86018631B0E80E5FD6E4FA1DA85577673E5EBA9350F40027AE40CC3256DE69DC054389
                                                                                                    Function 00007FF848DCF4D9 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4d5fccf184d7dc77ff07399e45ca8c49338b5f43d84dc98e33338f8ce96e4ea
                                                                                                    • Instruction ID: d16d4f487ff65b97ec73e03e24107648f81673ebb84b545278bbf4f39b7c96ae
                                                                                                    • Opcode Fuzzy Hash: b4d5fccf184d7dc77ff07399e45ca8c49338b5f43d84dc98e33338f8ce96e4ea
                                                                                                    • Instruction Fuzzy Hash: 6701243190E5850FE349A33868012F17BD1DF863A0F1981B6E44CC7197DD9D5846839A
                                                                                                    Function 00007FF848DC02D1 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 79e06c218be8e8b82a01cc0f55cb901dcecb62424ab2f393863ab93fac375617
                                                                                                    • Instruction ID: b85afa526b7ebac35b80cb33e43f3e4976a6f77c669bc9e3041090f9df9640e6
                                                                                                    • Opcode Fuzzy Hash: 79e06c218be8e8b82a01cc0f55cb901dcecb62424ab2f393863ab93fac375617
                                                                                                    • Instruction Fuzzy Hash: 92F0B42270DA580FE394A52CAC5EAB67BD4DB6617270502FFE948C71A3EA429C468354
                                                                                                    Function 00007FF848DCABB1 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3438436c058f206b49dad807a1587f76bb999f252af6e9c88ec6716becdc37c2
                                                                                                    • Instruction ID: a895d8e39aec18c5323d57a7ce6a25b6002bb13e3acfa3e2d2b203f7492ef98a
                                                                                                    • Opcode Fuzzy Hash: 3438436c058f206b49dad807a1587f76bb999f252af6e9c88ec6716becdc37c2
                                                                                                    • Instruction Fuzzy Hash: 82F0C852E0F98A1FE396617CA8963F46B81DBA81A1B0841F7D04CC71A3DC484C8B4396
                                                                                                    Function 00007FF848DB9D2B Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a65386ff4b2d0353372f8beb3078914c4eab3349592d9af2f20da585e3371265
                                                                                                    • Instruction ID: 61820dc6c07041a2a67ac04265bf6e2dd4c7fad3105e87179f2345a5a7b6ebc7
                                                                                                    • Opcode Fuzzy Hash: a65386ff4b2d0353372f8beb3078914c4eab3349592d9af2f20da585e3371265
                                                                                                    • Instruction Fuzzy Hash: CD112170D199999EE799EB2888493BCB7A1FF64340F5001B9D00ED3297DF345985CB14
                                                                                                    Function 00007FF848DBD79D Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ffb1ee6308ebadb00814b66178dcd5c3a3854c9e99b75fcc442fb3057c959900
                                                                                                    • Instruction ID: d73b7b053fd66e12cb1bf26525fe7cccfd7604334ecdb32a2d6ff02b4eb44357
                                                                                                    • Opcode Fuzzy Hash: ffb1ee6308ebadb00814b66178dcd5c3a3854c9e99b75fcc442fb3057c959900
                                                                                                    • Instruction Fuzzy Hash: B901442190EE890FE35AB73C64513F46BE1EFA6290F4401BBC08EC3087DF4C684A8345
                                                                                                    Function 00007FF848DB0862 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 35873ea4ab1844886ed315217f11c703e221987375a14ca14dc33db2acb6cea9
                                                                                                    • Instruction ID: 698f7d825d9e57c5fbdca6c26b206c7f75fa8b1548168e14047b11e9cd5d415f
                                                                                                    • Opcode Fuzzy Hash: 35873ea4ab1844886ed315217f11c703e221987375a14ca14dc33db2acb6cea9
                                                                                                    • Instruction Fuzzy Hash: D101D87190EBC99FD356AB7858253557BE0FF56310F0901ABD058CB2D3DA289C1DC392
                                                                                                    Function 00007FF848DB5D33 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 20065016d44ae0cdb6cb68ab3b9a775857d2fd1d79cbc66c21169c92870001b3
                                                                                                    • Instruction ID: da356ea0d28bb74b7aa53c8e46a7d01c3c20dec793dc9ef197a7f49219857ed8
                                                                                                    • Opcode Fuzzy Hash: 20065016d44ae0cdb6cb68ab3b9a775857d2fd1d79cbc66c21169c92870001b3
                                                                                                    • Instruction Fuzzy Hash: 14F0F611F1EE4F0FE7D8B66C240937961D2EF982A1F80117BD40EC3186EE289C464389
                                                                                                    Function 00007FF848DB5A80 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 909665ab8ed82fed0a2d15d191acfc924429b08258376c2fedf2458098018775
                                                                                                    • Instruction ID: 305a44d0945c47a1e30e661a1162a9551d4e084e590a36bcc8c3a69e0568cfc4
                                                                                                    • Opcode Fuzzy Hash: 909665ab8ed82fed0a2d15d191acfc924429b08258376c2fedf2458098018775
                                                                                                    • Instruction Fuzzy Hash: 8F01D621A1AD4B4FDA98FB2D909467673E2FFA8340F44057AC00DD328ADF28E8464345
                                                                                                    Function 00007FF848DB4B4D Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d0b5c3293231365fdd89471051ad6e183b1fec680b373d84c7779b15babc36a
                                                                                                    • Instruction ID: a425b548f3389260159920e4e40e4b8f51f300386419b1e7d781f92c60e9dd91
                                                                                                    • Opcode Fuzzy Hash: 6d0b5c3293231365fdd89471051ad6e183b1fec680b373d84c7779b15babc36a
                                                                                                    • Instruction Fuzzy Hash: 7101810585FACA1ED763A37828303A16FA68EA3164B0D01E7D2C8CB087DA0C5859C39E
                                                                                                    Function 00007FF848DB4CF5 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 83edb1efc4ace2827381c0eafedf71838c9116b98d5e25b7fc586753cb0bd77f
                                                                                                    • Instruction ID: f913b33124c7658f5c5644c1eda2be8dfc56c6f45cca458107f615b4a68d3ef6
                                                                                                    • Opcode Fuzzy Hash: 83edb1efc4ace2827381c0eafedf71838c9116b98d5e25b7fc586753cb0bd77f
                                                                                                    • Instruction Fuzzy Hash: F2F0E212E0FDDE0FD296E26C28642B81BC2EBA55A0B4D03F7C548CB18ADD4C4D4A4396
                                                                                                    Function 00007FF848DB7D50 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
                                                                                                    • Instruction ID: 5e91c2b5d64c5e9a01e1d14ca6fe839fbf2d35837f37f6a0f38f73fe33c00adc
                                                                                                    • Opcode Fuzzy Hash: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
                                                                                                    • Instruction Fuzzy Hash: 2BF0E23160E82B0EEA78B10D94597726ADAEF8F3F0F210076E54EC3192EA58AC468644
                                                                                                    Function 00007FF848DB5BE9 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 402746fa0fd8c8750446f61b79a6a8c09a46b1ca63389bd83b34f0ab3aaab04d
                                                                                                    • Instruction ID: 3d1de6f14c54ceef3dc7611c7da0938374aa348ab909922f6923e44670de5b97
                                                                                                    • Opcode Fuzzy Hash: 402746fa0fd8c8750446f61b79a6a8c09a46b1ca63389bd83b34f0ab3aaab04d
                                                                                                    • Instruction Fuzzy Hash: A101693091DB8E4FDB86EF2888582BA7BB0FF65240F4404ABD459D72A2DA7959148741
                                                                                                    Function 00007FF848DC6413 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
                                                                                                    • Instruction ID: 70dceb5d8809c9a26f1d6a89232e8617190df6de73cfacf84bf2bd735db44391
                                                                                                    • Opcode Fuzzy Hash: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
                                                                                                    • Instruction Fuzzy Hash: E1F0FE71A2CB088F9F44AE4CBC434AD77D0FB99B60F10116FF94A43241D721B8928AC7
                                                                                                    Function 00007FF848DB6FF2 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c7ae08f9af00ec9c6e823a142462140c851734307017448bb4e86926bb67bbe5
                                                                                                    • Instruction ID: b96b811238b88ba1c788ab103f0b0f5dca732b4ea9c7f24c38d1c8631066b58f
                                                                                                    • Opcode Fuzzy Hash: c7ae08f9af00ec9c6e823a142462140c851734307017448bb4e86926bb67bbe5
                                                                                                    • Instruction Fuzzy Hash: D8F09621B19D4B4FDA95FA18D050AB973E2FFA4380B504475D00EC3589DF28E8424741
                                                                                                    Function 00007FF848DCBE9B Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 90f5a89ca3c46eec046ac7c6f682757de93ff89e9d52fb42d81f2704e395eff2
                                                                                                    • Instruction ID: 028cce79eca7e54ed75c0ed3aca36fd6a71176531500d5f468ffecf99b266d9a
                                                                                                    • Opcode Fuzzy Hash: 90f5a89ca3c46eec046ac7c6f682757de93ff89e9d52fb42d81f2704e395eff2
                                                                                                    • Instruction Fuzzy Hash: 32F03772B1D61D4FE648BA1C64122B973C2DB8A9A0F10416FD58FC7247DE25A80B4389
                                                                                                    Function 00007FF848DBB902 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 44b8930c4da1f2cb26ab074b1b585f3512cda4e4dee37559ab423cf6d325bcfb
                                                                                                    • Instruction ID: 84e557ead8ae4b1de47540fa4ef1adbed41f38d96951800c8f09587e123fcc6d
                                                                                                    • Opcode Fuzzy Hash: 44b8930c4da1f2cb26ab074b1b585f3512cda4e4dee37559ab423cf6d325bcfb
                                                                                                    • Instruction Fuzzy Hash: FAF0C22040EBCA0FD716A73894546A07BE0EF56350F4D02FBD488CB2A7DA1CA989C359
                                                                                                    Function 00007FF848DB8AE8 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f6e313135fcc7dc91d02b3e14e3bccb4d3bfc5dfc5179b4a58c6d86b645762d
                                                                                                    • Instruction ID: ba76735f6422ea9bc912c2188d0f4ea6e2ce5f7716348f39b95f83fb73536eeb
                                                                                                    • Opcode Fuzzy Hash: 5f6e313135fcc7dc91d02b3e14e3bccb4d3bfc5dfc5179b4a58c6d86b645762d
                                                                                                    • Instruction Fuzzy Hash: 5EF0E531A1ED0D1FE5A8B22C64857FA62E2EFA4790F84023AD40FD3285DE5DA8464385
                                                                                                    Function 00007FF848DBDF92 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ed693b6510681dace6e0d584bd1be0c16ee24e19b5f040172ee0f418a6840a3c
                                                                                                    • Instruction ID: ec678c0fd0b4ca5caefe9970a34201f977e0467f09b4fbec0e7acfa47b38a895
                                                                                                    • Opcode Fuzzy Hash: ed693b6510681dace6e0d584bd1be0c16ee24e19b5f040172ee0f418a6840a3c
                                                                                                    • Instruction Fuzzy Hash: E4F0905180F7D50FEB47AB78492A2A57FE19F6B160B4D85EBC0C8CF1A3D61C844AC352
                                                                                                    Function 00007FF848DB51FE Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 66092b8edece5097397f95985013c309fe96a2ac580d0564f917abac043d196b
                                                                                                    • Instruction ID: df808b47a6c16a9f1a207ecd763de9aaa61009c78f89a9dcdd3c0a791ca0cd31
                                                                                                    • Opcode Fuzzy Hash: 66092b8edece5097397f95985013c309fe96a2ac580d0564f917abac043d196b
                                                                                                    • Instruction Fuzzy Hash: 74F0E911A0F9864FD748B62964856B96792EF64280F0404BDC00DC719BDE29A98A4706
                                                                                                    Function 00007FF848DB08DD Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e362153480ceac7e1cf89cea4886cd900dfe46d55696f14d4d5ed9609ae4312b
                                                                                                    • Instruction ID: 11e51443d7a9436294099ce170c26e62e4a10f29d9db88206526952c42820a08
                                                                                                    • Opcode Fuzzy Hash: e362153480ceac7e1cf89cea4886cd900dfe46d55696f14d4d5ed9609ae4312b
                                                                                                    • Instruction Fuzzy Hash: 91F0E270D0FA8A9FEB41FAB804562A9BBE0DF25660B8402BEC049C7252CA1C4C068704
                                                                                                    Function 00007FF848DB92C5 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d980011fd5cd0d9393d9c5fb644df4c44b5d2490a14693095fcc457ae657a227
                                                                                                    • Instruction ID: f19616871c5b3d386b74b6e4beeaaab6c18fd0eb9f148c7748cc8c5bb4e7d563
                                                                                                    • Opcode Fuzzy Hash: d980011fd5cd0d9393d9c5fb644df4c44b5d2490a14693095fcc457ae657a227
                                                                                                    • Instruction Fuzzy Hash: 5FF0E5B2C0F3C10FE752663548562A87F90BF66250F8805FAC488CB0A7EB2C994E8316
                                                                                                    Function 00007FF848DCF21E Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 201f880926673ec1f45f5d2146d41c22f8a3c6b827febfa8831c9c902906951d
                                                                                                    • Instruction ID: f6df368840ab6620e4937aa782d6fe3ef500aee202b81528d3218ef087db7ad8
                                                                                                    • Opcode Fuzzy Hash: 201f880926673ec1f45f5d2146d41c22f8a3c6b827febfa8831c9c902906951d
                                                                                                    • Instruction Fuzzy Hash: 73F0A73085F64B4FD745FFA59C516E477E0DF51260F8404F9C84ACB9A3CA1C5D89C616
                                                                                                    Function 00007FF848DB04C0 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b52c2cd1f9376ed4b13f4cae130ad17841f9d34b33c26fa664c30ff71e6d9c9b
                                                                                                    • Instruction ID: ec65063bb6948a8e7a3825b9ee19f5e2205e20da7cfe35b69ed305101152a4e4
                                                                                                    • Opcode Fuzzy Hash: b52c2cd1f9376ed4b13f4cae130ad17841f9d34b33c26fa664c30ff71e6d9c9b
                                                                                                    • Instruction Fuzzy Hash: A5E0D812A1F86919FA68726C70613F93741CF463B8F4901B2D88DD61CBDD8A1C4502E9
                                                                                                    Function 00007FF848DB1614 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 38ccd32c2ef9ef9ae26be0ab7c3114cfe1abf76843b322d6cf799e7cbf34feb3
                                                                                                    • Instruction ID: 6fe78be288be2692046da0b67c84a5d7b510adbb1e110c659c710a0b87d7109f
                                                                                                    • Opcode Fuzzy Hash: 38ccd32c2ef9ef9ae26be0ab7c3114cfe1abf76843b322d6cf799e7cbf34feb3
                                                                                                    • Instruction Fuzzy Hash: 8DE07D31A0CE4C4FCB40FA9CB8018D67BA0FBC9308F04009AE44CC3181D6219411C355
                                                                                                    Function 00007FF848DC5381 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                    • Instruction ID: ffa37fdbb59bda29e9adf39734c9e0e70dac8899cec589e9f5687b91a03f4aaa
                                                                                                    • Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                    • Instruction Fuzzy Hash: 8EE0D83260D8054FE718FA04D8907F433A2FB913A0F50463AC406C72D1DE5CE4458344
                                                                                                    Function 00007FF848DB04C8 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1610aa5cff5648d77a8299691b0ffc9d600bfd396503b217f403493217c3b10a
                                                                                                    • Instruction ID: ba0e3b7f046e53297b83391c4adbfbf64e7d4926c7e8122e229e0d7fba576c68
                                                                                                    • Opcode Fuzzy Hash: 1610aa5cff5648d77a8299691b0ffc9d600bfd396503b217f403493217c3b10a
                                                                                                    • Instruction Fuzzy Hash: 72E0CD1291F83559FE68716C70613F92381CF093B4F440072E84DD61CBDD8D2C8501E9
                                                                                                    Function 00007FF848DB45A0 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3120823cb49ccd8a594a2dbc8d1b3cee3f7666183693e332e2e4b2c2332dfb3
                                                                                                    • Instruction ID: b92b91471bf99e8ba719cac934666a8492554464172e4ffd61eb5e5dadf57148
                                                                                                    • Opcode Fuzzy Hash: d3120823cb49ccd8a594a2dbc8d1b3cee3f7666183693e332e2e4b2c2332dfb3
                                                                                                    • Instruction Fuzzy Hash: 31E08631A0EC294FDAB4EE1C54447A437E2FF087C0B0600E6D04DCB2D9CA105C4C83C5
                                                                                                    Function 00007FF848DCFD40 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 140875dddcb94d077cdd7759ef9409f9ce6f61d896d1bc03daff915397a8b508
                                                                                                    • Instruction ID: 5d7601b1613f2dd5d0a5056b10eb246c7d593aef377d937a45be13c30cb113ce
                                                                                                    • Opcode Fuzzy Hash: 140875dddcb94d077cdd7759ef9409f9ce6f61d896d1bc03daff915397a8b508
                                                                                                    • Instruction Fuzzy Hash: 59E092B041E7D00FD30B673448652957FA0AB52350F8805EED4C9CB1A3C66C4149C347
                                                                                                    Function 00007FF848DCF189 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7ea0586948cb52fdc88709b53f0cadd07c0f37654c65e296328c7f73ec2a7581
                                                                                                    • Instruction ID: af714c2c534e95351283004837f4a81c91b8b01cf40fe3fb681bc31c4798ffdd
                                                                                                    • Opcode Fuzzy Hash: 7ea0586948cb52fdc88709b53f0cadd07c0f37654c65e296328c7f73ec2a7581
                                                                                                    • Instruction Fuzzy Hash: 3DE0D81190EBD80FE7AA626C14653A43FA0CF46260F0A00EBC849DB1D7E98D5C494392
                                                                                                    Function 00007FF848DB4260 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                    • Instruction ID: 3e9add6cf378b9ac8ebb07b9aa107b75a5c8aec2181c9683bf82f8b547ce9426
                                                                                                    • Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                    • Instruction Fuzzy Hash: FCD01711E5FC2E1ED8B4B26C28157A90086DBD86A0F8A0372EA0CC3289DE189C8502C8
                                                                                                    Function 00007FF848DCBCD8 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f9f39d3c9c604e7d8b000955c7def2a5a2f02dd3fc6a84b66c7276bf7c0d5a8
                                                                                                    • Instruction ID: 04f76cca8e6ddb7323b16f8408e2ab3829362782b28aaf8e2bc25aae1b33cc59
                                                                                                    • Opcode Fuzzy Hash: 4f9f39d3c9c604e7d8b000955c7def2a5a2f02dd3fc6a84b66c7276bf7c0d5a8
                                                                                                    • Instruction Fuzzy Hash: 7AE0D851D0F9C60EE786EA3E18687703F81AF12260F8842F9C289C72A3ED08C80C8209
                                                                                                    Function 00007FF848DB8150 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 351d19dd5296665f6fda2a4dd34bf288d98152e026793ebb705f75ce0891b021
                                                                                                    • Instruction ID: ead5cac0b32c3cfc12508521e4d422e954a42a3ca17f8442ad861559641da159
                                                                                                    • Opcode Fuzzy Hash: 351d19dd5296665f6fda2a4dd34bf288d98152e026793ebb705f75ce0891b021
                                                                                                    • Instruction Fuzzy Hash: 51E0C228E1FC0A0FDA8CB9299C521203191EBB9284FA400A8C408C3181F91AC88A8309
                                                                                                    Function 00007FF848DB59D0 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                    • Instruction ID: ef68ea4cef28a5a567923e1251a25af30b5aed19c3c6087cb6697f85a77d622a
                                                                                                    • Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                    • Instruction Fuzzy Hash: C6E0C230C1EA864FE708BA328C4517AB1D1FB98281FC44A36DC8CC2195FB2CC7CD924A
                                                                                                    Function 00007FF848DB59E0 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                    • Instruction ID: 31562474720c9ea62289cce9f41e758e8be145e45bea8aa7b5226fab6faaae31
                                                                                                    • Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                    • Instruction Fuzzy Hash: D3D02B3082CD150EEB90B63850087F563C0DB74390F040637FC0DD31A4DE485D8502C9
                                                                                                    Function 00007FF848DBEE20 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1861fa83685490f3ba9cf099254c33a20e971acf7eca4649ed1c806eb9088606
                                                                                                    • Instruction ID: 66be8b41f1e41d709c7b079d187c14a655b3b28fd5df67b2e5c25162bcbaa61d
                                                                                                    • Opcode Fuzzy Hash: 1861fa83685490f3ba9cf099254c33a20e971acf7eca4649ed1c806eb9088606
                                                                                                    • Instruction Fuzzy Hash: 9FE08C2084F78AAFCE42FB7C84961883BF05F06694B9841F9C088CF1B2E21C480EC302
                                                                                                    Function 00007FF848DB04D8 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 499396a3636772fdd39e9cb70851584cb40483bb86893e95b12545fe786cf2b3
                                                                                                    • Instruction ID: c7df17f623b4f4f59584c7c8ee3c7007af72a9089e4df1a92b87f6a1439d6de3
                                                                                                    • Opcode Fuzzy Hash: 499396a3636772fdd39e9cb70851584cb40483bb86893e95b12545fe786cf2b3
                                                                                                    • Instruction Fuzzy Hash: 5ED0C721A5EC291DFEAC715C61513F85181CF497A0F511076EC0EE32CADDDD1C9506D5
                                                                                                    Function 00007FF848DB3B2C Relevance: .0, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 692e7d40b20d1dfc09b147089760a63203f81e3d8a87278811030fa629ce9e3a
                                                                                                    • Instruction ID: 288cc2afd6cd2b6c51ef2951ed38c03a62d14c3d454b0a263334f3940518e5e4
                                                                                                    • Opcode Fuzzy Hash: 692e7d40b20d1dfc09b147089760a63203f81e3d8a87278811030fa629ce9e3a
                                                                                                    • Instruction Fuzzy Hash: 9EE01231E0994E8FDF84FE5CD9A5BEDB7B1EBA9340F104165D508D31D2C77459458740
                                                                                                    Function 00007FF848DCB81B Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a394e950b25035dc8629c7be66b84009297d9241a72f6c8817db5970dcc6f00
                                                                                                    • Instruction ID: e4d91e338dfb945b206d0d37c1ca1a8a853274dc8bb95c93a38c15d5169ae879
                                                                                                    • Opcode Fuzzy Hash: 3a394e950b25035dc8629c7be66b84009297d9241a72f6c8817db5970dcc6f00
                                                                                                    • Instruction Fuzzy Hash: 66D0C721B19E090B9565A67D64451BAA2D2FB94270F904776D05BC36CDEF2D94434341
                                                                                                    Function 00007FF848DB3B59 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                    • Instruction ID: aa1464d63b32cc6d8c502712ec748f40ff37957f54b0e7484187c6ee58c86e4b
                                                                                                    • Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                    • Instruction Fuzzy Hash: 91C01232A0880C8E8F80EA8CA0016ECB7E0EB98221F041032D10CE3100CA2014544794

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF848DC95A9 Relevance: 12.8, Strings: 10, Instructions: 266COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: GH$ JH$8LH$@GH$HLH$PGH$`GH$pGH$xLH$xNH
                                                                                                    • API String ID: 0-4015004523
                                                                                                    • Opcode ID: e7a5c0028fe82c38cf1a23f24be03d31e3e700ab27e163966fc728ce93182dc4
                                                                                                    • Instruction ID: 7500479cb4ca1e3c123c154d5a0929a1a2f2e7837c39c3d72efe8f006f88c489
                                                                                                    • Opcode Fuzzy Hash: e7a5c0028fe82c38cf1a23f24be03d31e3e700ab27e163966fc728ce93182dc4
                                                                                                    • Instruction Fuzzy Hash: B5816252D0FAC25FE317EA3C68292746FA1EF925A5F0941FBD0848F1EBD518490E835A
                                                                                                    Function 00007FF848DB8D98 Relevance: 6.4, Strings: 5, Instructions: 172COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.2307749634.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff848db0000_BootstrapperV1.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (4H$84H$@4H$@uH$PvH
                                                                                                    • API String ID: 0-2455086468
                                                                                                    • Opcode ID: b4b4131695ef228cc267137a4732bc5e2fceafccaa1b27dbfbbe04d37327cbd6
                                                                                                    • Instruction ID: d5292f33c2f8247aa84ce45d31761e0a16838cb740b4c0552024c3e23e1a34ee
                                                                                                    • Opcode Fuzzy Hash: b4b4131695ef228cc267137a4732bc5e2fceafccaa1b27dbfbbe04d37327cbd6
                                                                                                    • Instruction Fuzzy Hash: F451B071D0D98E8FEF85EB68D8593B97BE1FF68380F4400BAC008D7296DB3998058745