Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IM3OLcx7li.exe

Overview

General Information

Sample name:IM3OLcx7li.exe
renamed because original name is a hash value
Original sample name:2b685da51e11e912a197f6b099cc129ea596e0a17e1acda327a14da2f29cc14d.exe
Analysis ID:1546346
MD5:5de66177f354c6897c28610c4f7bae57
SHA1:e8ad1bee7ca5c991d1837eb59d0c9b4033e055bf
SHA256:2b685da51e11e912a197f6b099cc129ea596e0a17e1acda327a14da2f29cc14d
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IM3OLcx7li.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\IM3OLcx7li.exe" MD5: 5DE66177F354C6897C28610C4F7BAE57)
    • XClient.exe (PID: 7592 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 06DF71794E08473F20B46AA17C389269)
      • schtasks.exe (PID: 7852 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Bootstrapper.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Roaming\Bootstrapper.exe" MD5: 2A4DCF20B82896BE94EB538260C5FB93)
      • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7688 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 7732 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • WerFault.exe (PID: 7212 cmdline: C:\Windows\system32\WerFault.exe -u -p 7616 -s 2192 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • OpenWith.exe (PID: 7912 cmdline: C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2" MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 3344 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 6964 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 4080 cmdline: C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2" MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 8008 cmdline: C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2" MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 3572 cmdline: C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2" MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 6160 cmdline: C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2" MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["nohicsq.localto.net"], "Port": "3985", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Roaming\FluxusV1.2JoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\FluxusV1.2MALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x10123:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x101c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x102d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xec2b:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x10123:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x101c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x102d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xec2b:$cnc4: POST / HTTP/1.1

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xff23:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xffc0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x100d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xea2b:$cnc4: POST / HTTP/1.1
          00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x30c73:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x432b3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x30d10:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x43350:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x30e25:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x43465:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x2f77b:$cnc4: POST / HTTP/1.1
            • 0x41dbb:$cnc4: POST / HTTP/1.1
            Process Memory Space: IM3OLcx7li.exe PID: 7504JoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.IM3OLcx7li.exe.30b1b50.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.IM3OLcx7li.exe.30b1b50.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xe323:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xe3c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xe4d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xce2b:$cnc4: POST / HTTP/1.1
                0.2.IM3OLcx7li.exe.30c4190.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.IM3OLcx7li.exe.30c4190.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xe323:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xe3c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xe4d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xce2b:$cnc4: POST / HTTP/1.1
                  2.0.XClient.exe.450000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 5 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\FluxusV1.2, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\XClient.exe, ProcessId: 7592, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FluxusV1
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\XClient.exe, ProcessId: 7592, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnk
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 7592, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2", ProcessId: 7852, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 7592, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2", ProcessId: 7852, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Network Command
                    Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Bootstrapper.exe" , ParentImage: C:\Users\user\AppData\Roaming\Bootstrapper.exe, ParentProcessId: 7616, ParentProcessName: Bootstrapper.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 7688, ProcessName: cmd.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T19:46:23.043912+010020229301A Network Trojan was detected52.149.20.212443192.168.2.849720TCP
                    2024-10-31T19:47:00.849045+010020229301A Network Trojan was detected52.149.20.212443192.168.2.849725TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T19:46:10.383179+010028033053Unknown Traffic192.168.2.849707172.67.203.125443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T19:47:38.264525+010028559241Malware Command and Control Activity Detected192.168.2.849729185.141.35.223985TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: IM3OLcx7li.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeAvira: detection malicious, Label: TR/AVI.Agent.iqkvn
                    Source: C:\Users\user\AppData\Roaming\FluxusV1.2Avira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["nohicsq.localto.net"], "Port": "3985", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeReversingLabs: Detection: 63%
                    Multi AV Scanner detection for submitted file
                    Source: IM3OLcx7li.exeReversingLabs: Detection: 60%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\FluxusV1.2Joe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: IM3OLcx7li.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: nohicsq.localto.net
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: 3985
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: <123456789>
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: <Xwormmm>
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: XWorm V5.6
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: USB.exe
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: %AppData%
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpackString decryptor: FluxusV1.2
                    Source: IM3OLcx7li.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.8:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.8:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.44.4:443 -> 192.168.2.8:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: IM3OLcx7li.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: m.pdbL source: Bootstrapper.exe, 00000003.00000002.1606384666.0000026C3E970000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Data.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdbq source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C263BD000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.pdb source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C263BD000.00000004.00000800.00020000.00000000.sdmp, WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Data.pdbH source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Core.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.pdbp source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\System.pdbm source: Bootstrapper.exe, 00000003.00000002.1606384666.0000026C3E952000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Numerics.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49708 -> 185.141.35.22:3985
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49729 -> 185.141.35.22:3985
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: nohicsq.localto.net
                    Source: global trafficTCP traffic: 192.168.2.8:49708 -> 185.141.35.22:3985
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 172.67.203.125 172.67.203.125
                    Source: Joe Sandbox ViewIP Address: 104.20.22.46 104.20.22.46
                    Source: Joe Sandbox ViewASN Name: AS43260TR AS43260TR
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49707 -> 172.67.203.125:443
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49720
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49725
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                    Source: global trafficDNS traffic detected: DNS query: nohicsq.localto.net
                    Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                    Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632E
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-fra4.roblox.com
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C26195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                    Source: Bootstrapper.exe.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: XClient.exe, 00000002.00000002.3884269378.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2617D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2625D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://096e98d9.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261B2000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2626F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2625D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://096e98d9.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2625D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2618A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://getsolara.dev/api/endpoint.json
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260F3000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://getsolara.dev/asset/discord.json
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C26259000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C26255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                    Source: Bootstrapper.exe.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.8:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.8:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.44.4:443 -> 192.168.2.8:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.8:49713 version: TLS 1.2

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 2.0.XClient.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\FluxusV1.2, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B0694462_2_00007FFB4B069446
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B06186D2_2_00007FFB4B06186D
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B06A1F22_2_00007FFB4B06A1F2
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B0620592_2_00007FFB4B062059
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B060EBD2_2_00007FFB4B060EBD
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeCode function: 3_2_00007FFB4B056DB03_2_00007FFB4B056DB0
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeCode function: 3_2_00007FFB4B0625403_2_00007FFB4B062540
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Bootstrapper.exe EBBCB489171ABFCFCE56554DBAEACD22A15838391CBC7C756DB02995129DEF5A
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7616 -s 2192
                    Source: IM3OLcx7li.exe, 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs IM3OLcx7li.exe
                    Source: IM3OLcx7li.exe, 00000000.00000000.1412224191.0000000000C90000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOutput.exe4 vs IM3OLcx7li.exe
                    Source: IM3OLcx7li.exeBinary or memory string: OriginalFilenameOutput.exe4 vs IM3OLcx7li.exe
                    Source: IM3OLcx7li.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 2.0.XClient.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\FluxusV1.2, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: IM3OLcx7li.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: IM3OLcx7li.exe, 2vQWjXXJimRWbe79pCEPet6wDiJk73.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: FluxusV1.2.2.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: FluxusV1.2.2.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csBase64 encoded string: 'v9mb9RpVrBE7RDaZZSlVasGbjcVsh5usrfttbXqlgeJyDqdY7cTE2drMR17nvl52fHF5OTPzoyAD9uyH8hwJh9nnne6C', 'sTKUegd6TpziDRxcoIzFv0BJOXNElQ9ZIpYxUFoWs2pQcwvHZ8GRKK5vXXJQB73pBHiVBpX3NNRfjEw4DlGkkZJpqTmY', 'MSmlZMaIU7cagZJvS85lg9zJNBfmNadSV9rvEhajFn7HmNlf5RSq7LIlLR17d0zoxBYpAnlBElZRNKb6sY7PSUOwcgq8', 'iWTpiqA8Xj8vLbi8hQL7UiXhxxev7FsVcOX1my0mhYYIU13dVspHefR4O5juQz61r6JHgNgsqb4NdzBcwHhyyFrO0r8J', 'vHyY0aBSMHEExVeyJXpynUyqZuACd4VQp3WcOk5lh71s5GEdqr8SyBHquZeZXQB8RB5RugZhZmZrNiEBHtN5j38hUwjF', 'pyNITOUQ3ksF4wmIkok3A5BCeUcw8TVzDpWAy3h3bMYyG0v1JdAc47MnLUKAUmGwdDGE0u170UeE3EMZOKBNyQ1jEUfQ', 'X9wex5y9GnKMDDs2F07JPjvRFfUmBBwDgCT0g1B4MFHupra8FLjnPmrbMkiLeEYVwfdrK5CMwLjF6gbJpfkp6SPZOa5h'
                    Source: XClient.exe.0.dr, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csBase64 encoded string: 'pCqflRx1rdKp8BCVhngIhLeuZVYFpAcvMO6hjX5dIMKNl1gm9Q1Jgwr5sU2f4lpqQeqB97df83qBtJxCzv0U8DZWCo85'
                    Source: XClient.exe.0.dr, OPQSObGEdF.csBase64 encoded string: 'RMWzTVi3Qn2g0BNzSMsRPquCDIC9rga75Gk7iF91H0N9YKINnVoR3zLVkpsZxQ9ExYuWbEg2hz1FA5TZ3wWo2Y6P7uKR', 'nfpBNoNEeEqIg0AuRrroLcpbzjuosrtDMeYp3cOSkk03XFsfxifPWkeGzNgHPQbCpmZjCiIi2pJVZ3NOMSqRRhtvO08d', 'GqNK6Y1mMYvDVzVASSPOKqbpGIizl5M7kp0YF0qQn8kEq1wq25zMNhfIFjck90TbgZfHlzZx2sQRDXWc92hBHfZazCrk'
                    Source: XClient.exe.0.dr, AhV9cITdXv.csBase64 encoded string: 'Id2Rlq0bMyrMvmKMy9Hr0SpA7pjax9NcrH6ko5R6iNreT2VFvbpd8BUXaRJp'
                    Source: XClient.exe.0.dr, lwCMFX9W8i.csBase64 encoded string: 'YpChdJUzj78mlSIIrAPZg71blMMWyS4heKalax9ysig4rslGusL5UOBlg7hJ', 'KPrG7v6iToVv5eokwYpMDJoliNVPXMVCoPiq35deyGOLVbT0VPYgN4J3vJ3R', 'Kn3MjRnALfYYy88AxYxk50IbpqSQy8fk4L1KHkrKOBUCTPjlLcZDqyQIQD77', 'IZodmP7LUAI0C2Pom6YCorxLt8nFONEH3iXaHPHRIfkZNfeDdzKtkVLnZvkL', 'YA3PKorzoKQpSBINQLV4PbSaFrEoAAY0KYkhXXzBLlN88vZZakoWUF3dzCtq', 'RAvxA7r4GZOPoDyRiVX3GnmTjUlesViKv9uLXvJE4yRiPTRgwEdblPX2AwJI', 'tLpbn4h4dOia2QDYqaZRWDdF7zgdC0P2bCuNN5EwO5WaRgH50AqhWCICRm5S', 'QfetLAmJpkpRhQOOF8kDZI9jIWRrAfh7dKOJ2LFQrgf7ny7VmgYk6AcXEfhd'
                    Source: XClient.exe.0.dr, tiWHr4oL6x.csBase64 encoded string: 'H25jbxpjW25c0ZiUrQn1jcJHNJIsFSv9GY1VqM7tX8KvOYe9486CAsg8vGyj', 'xgxETpH56RuE3gfpYeTgQNPU6lWgTqszdVjtLZNq4M0kgNfoW4rCP0k1VshK'
                    Source: XClient.exe.0.dr, wHUoYuStNT.csBase64 encoded string: 'TSzKwKTH65Vvqq35exOuDv6wGfK054sDVjDg4Zu4yB1xRavxiDDPrmTL3HZs', 'hga8ivnVfNF4AFRYDS6Q0YkFgGbmCzHHTPEiOgt3xqAWHD0linjFE5lMr7Cm', 'lSIJI6jVWDk05FfmWqSYz2NXXF0k8dnDgbVMcHlyBc3vK5cIviESTDWCZ0Nb', 'ItLfVWSOgRIuDEX90nulHK3yKn1JIaxOAqL1rC1RaILoWPrHqVz6UvIrdSxS', 'o8ZvL2DDxYuFiF33pyB5gTOJQCtldFQAUncWA6Pm2VJYjm670TbflAKg4A1V', 'jn96YmXwqIuDgAyxjPnkx7fgGO1fgI7XmqwFXDqQp74ZPijTz7KWFUl02uYPDo9rmMYRU8612T2X8LiNb5XgZ6UcXAyA', 'kEAHdMshu3AJAZig6CpRM0yAiphVjJdgWYEmAD3iXQpKvCgnGasxDsp2JSq8dRSZAhXPT5FmXJuS42QnPamgSkDFxlmM', 'ptJkt6r8N0dirVrfyXBqLSo4op4zrOy1vzdybx0PKoIZFLQNgsYF8pQkhtfhKNkL4ULh1VBs2foV7B0FaEBkuSRGw5TW', 'MQKYhoqJT8yqqMZD5e3BGdbY26Priy1ve9MWFvzFKSCdrPvWTdVegFSccX8m5Cm5seZBhRzVidBZts9csSnniF1Is9PA', 'McPLR0iu5mC2jVkdtWEUo6sP6BRWKVSCVIy52Jjrj7OnK8CTv9PVVgY9ky13S5ZknyfXaVQZncy0b6CyzBeV9vruj6bX', 'UQnuQbFElcEKCGng7yYTf6V5CGLMFZAcZLOI82EPHDGhGWjkEB32Znj5UgThpSNrv1z3sM5V9eCcBrKBEN9RDnqWpU0t', 'q6O7Vlf3FrzMbmW3ahTqWmOxSgS1uN8JcMTFQ4jy6wkgTkXTcGuY0TamiqxYnssHSNQp0EFaH8Ib5reommrlTKhNjvyX', 'zb78JyDHMORsh2I1lsBkDCCHWoz5TSuenCS9r07r5GsUd7Wj2BdPC7yzZhxfwHpFlb7ZBsdHM4pBbZ3qmNSqbamKWRPd', 'qnlJfxaQoO7FjUT82yNTkMiMx8CkR1AekpVA0g2SPoWqgoXLvIDJOc0FYsaDxlOIlSbAB61sHiXPXXSufzV5wQNUGAma'
                    Source: XClient.exe.0.dr, Tg2SEP0VQY.csBase64 encoded string: 'SzRAGbZfRW87GpDPTl6mYEdbGfHmbd6JT8oXbLaCaPJUcaAsf9vKKT8j13Ll', 'Mmzvsz5iwN6SLMMKvoVq6bCvZ6zTLOGhh47HaUORTznXMf7m9KaaKbWOZAGC', 'oV4ybiASD8y8LfP6lpUhFYGdS5UnHdm9yChGpzgOKlWhOaCZGbW0YwwomZAG', 'Wzk43dKfG1Ppjd7Je6pU1IK3o32BGizMbgxzVDCLX7WuAfemwOMWLLtJoVQ8', 'xhJXDzNieJxeeUgR2BOUJPpCokeZ9qXSNCMZ6JfOKgEQh46uLI1q8gykPv1j', 'VRsFeUe66XUj0ePqNBTFK89VJLU9WOWbQ6i42016cF5JGYigEncqNA66SZUG', 'VXsWhjt6xyy5IYkdIw89Xr9PQnaI5oZrnBEurRSzdkMYP9LjFH1nkJVVbexD', 'yNVTM18qmFNBktGqtxKFli9xgDkichcjgfOicfyEeMjTc4EdR9blhTM14X2H', 'HKNoxdZgt0mRc1vKuuJ4J06LTfzFrxSOeXWazm92jqH60ofYrnJpAUvWx3L3', 'QV21QSgLRjNIQYlfp3OpYkqJcNEBWEBweGQQ9I1q22c2rc8otAbjs7MqFcTV', 'wK9Pztkryb9RhLB29J25ccWSu3RLvads6Q8T039aoJlQb0iB2P9mfaN6uliv', 'HnMlHzyYFkwda1FuphRZNHnw3WRCAlmGYihdC5xjH3ISX4ZbeAvt8nNT8gYw', 'w0NHNoVUyaAZPeRHPi0W5dAK4WqUsmmLcl1cGTMswGWfDmz800pmj2iYBL2c', 'yfqj3bbJq0sBowqtAh5Ma565il7sQLtQEQ6uAWnzxSWhvya1Pl6Al9ArOoWU', 'mk317UbueRKqoaLeU6QEOLcmSAnM1NGcbzqGTO6gKpX1zEoT5HX05W0L1Uoj'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csBase64 encoded string: 'v9mb9RpVrBE7RDaZZSlVasGbjcVsh5usrfttbXqlgeJyDqdY7cTE2drMR17nvl52fHF5OTPzoyAD9uyH8hwJh9nnne6C', 'sTKUegd6TpziDRxcoIzFv0BJOXNElQ9ZIpYxUFoWs2pQcwvHZ8GRKK5vXXJQB73pBHiVBpX3NNRfjEw4DlGkkZJpqTmY', 'MSmlZMaIU7cagZJvS85lg9zJNBfmNadSV9rvEhajFn7HmNlf5RSq7LIlLR17d0zoxBYpAnlBElZRNKb6sY7PSUOwcgq8', 'iWTpiqA8Xj8vLbi8hQL7UiXhxxev7FsVcOX1my0mhYYIU13dVspHefR4O5juQz61r6JHgNgsqb4NdzBcwHhyyFrO0r8J', 'vHyY0aBSMHEExVeyJXpynUyqZuACd4VQp3WcOk5lh71s5GEdqr8SyBHquZeZXQB8RB5RugZhZmZrNiEBHtN5j38hUwjF', 'pyNITOUQ3ksF4wmIkok3A5BCeUcw8TVzDpWAy3h3bMYyG0v1JdAc47MnLUKAUmGwdDGE0u170UeE3EMZOKBNyQ1jEUfQ', 'X9wex5y9GnKMDDs2F07JPjvRFfUmBBwDgCT0g1B4MFHupra8FLjnPmrbMkiLeEYVwfdrK5CMwLjF6gbJpfkp6SPZOa5h'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csBase64 encoded string: 'pCqflRx1rdKp8BCVhngIhLeuZVYFpAcvMO6hjX5dIMKNl1gm9Q1Jgwr5sU2f4lpqQeqB97df83qBtJxCzv0U8DZWCo85'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, OPQSObGEdF.csBase64 encoded string: 'RMWzTVi3Qn2g0BNzSMsRPquCDIC9rga75Gk7iF91H0N9YKINnVoR3zLVkpsZxQ9ExYuWbEg2hz1FA5TZ3wWo2Y6P7uKR', 'nfpBNoNEeEqIg0AuRrroLcpbzjuosrtDMeYp3cOSkk03XFsfxifPWkeGzNgHPQbCpmZjCiIi2pJVZ3NOMSqRRhtvO08d', 'GqNK6Y1mMYvDVzVASSPOKqbpGIizl5M7kp0YF0qQn8kEq1wq25zMNhfIFjck90TbgZfHlzZx2sQRDXWc92hBHfZazCrk'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, AhV9cITdXv.csBase64 encoded string: 'Id2Rlq0bMyrMvmKMy9Hr0SpA7pjax9NcrH6ko5R6iNreT2VFvbpd8BUXaRJp'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.csBase64 encoded string: 'YpChdJUzj78mlSIIrAPZg71blMMWyS4heKalax9ysig4rslGusL5UOBlg7hJ', 'KPrG7v6iToVv5eokwYpMDJoliNVPXMVCoPiq35deyGOLVbT0VPYgN4J3vJ3R', 'Kn3MjRnALfYYy88AxYxk50IbpqSQy8fk4L1KHkrKOBUCTPjlLcZDqyQIQD77', 'IZodmP7LUAI0C2Pom6YCorxLt8nFONEH3iXaHPHRIfkZNfeDdzKtkVLnZvkL', 'YA3PKorzoKQpSBINQLV4PbSaFrEoAAY0KYkhXXzBLlN88vZZakoWUF3dzCtq', 'RAvxA7r4GZOPoDyRiVX3GnmTjUlesViKv9uLXvJE4yRiPTRgwEdblPX2AwJI', 'tLpbn4h4dOia2QDYqaZRWDdF7zgdC0P2bCuNN5EwO5WaRgH50AqhWCICRm5S', 'QfetLAmJpkpRhQOOF8kDZI9jIWRrAfh7dKOJ2LFQrgf7ny7VmgYk6AcXEfhd'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, tiWHr4oL6x.csBase64 encoded string: 'H25jbxpjW25c0ZiUrQn1jcJHNJIsFSv9GY1VqM7tX8KvOYe9486CAsg8vGyj', 'xgxETpH56RuE3gfpYeTgQNPU6lWgTqszdVjtLZNq4M0kgNfoW4rCP0k1VshK'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, wHUoYuStNT.csBase64 encoded string: 'TSzKwKTH65Vvqq35exOuDv6wGfK054sDVjDg4Zu4yB1xRavxiDDPrmTL3HZs', 'hga8ivnVfNF4AFRYDS6Q0YkFgGbmCzHHTPEiOgt3xqAWHD0linjFE5lMr7Cm', 'lSIJI6jVWDk05FfmWqSYz2NXXF0k8dnDgbVMcHlyBc3vK5cIviESTDWCZ0Nb', 'ItLfVWSOgRIuDEX90nulHK3yKn1JIaxOAqL1rC1RaILoWPrHqVz6UvIrdSxS', 'o8ZvL2DDxYuFiF33pyB5gTOJQCtldFQAUncWA6Pm2VJYjm670TbflAKg4A1V', 'jn96YmXwqIuDgAyxjPnkx7fgGO1fgI7XmqwFXDqQp74ZPijTz7KWFUl02uYPDo9rmMYRU8612T2X8LiNb5XgZ6UcXAyA', 'kEAHdMshu3AJAZig6CpRM0yAiphVjJdgWYEmAD3iXQpKvCgnGasxDsp2JSq8dRSZAhXPT5FmXJuS42QnPamgSkDFxlmM', 'ptJkt6r8N0dirVrfyXBqLSo4op4zrOy1vzdybx0PKoIZFLQNgsYF8pQkhtfhKNkL4ULh1VBs2foV7B0FaEBkuSRGw5TW', 'MQKYhoqJT8yqqMZD5e3BGdbY26Priy1ve9MWFvzFKSCdrPvWTdVegFSccX8m5Cm5seZBhRzVidBZts9csSnniF1Is9PA', 'McPLR0iu5mC2jVkdtWEUo6sP6BRWKVSCVIy52Jjrj7OnK8CTv9PVVgY9ky13S5ZknyfXaVQZncy0b6CyzBeV9vruj6bX', 'UQnuQbFElcEKCGng7yYTf6V5CGLMFZAcZLOI82EPHDGhGWjkEB32Znj5UgThpSNrv1z3sM5V9eCcBrKBEN9RDnqWpU0t', 'q6O7Vlf3FrzMbmW3ahTqWmOxSgS1uN8JcMTFQ4jy6wkgTkXTcGuY0TamiqxYnssHSNQp0EFaH8Ib5reommrlTKhNjvyX', 'zb78JyDHMORsh2I1lsBkDCCHWoz5TSuenCS9r07r5GsUd7Wj2BdPC7yzZhxfwHpFlb7ZBsdHM4pBbZ3qmNSqbamKWRPd', 'qnlJfxaQoO7FjUT82yNTkMiMx8CkR1AekpVA0g2SPoWqgoXLvIDJOc0FYsaDxlOIlSbAB61sHiXPXXSufzV5wQNUGAma'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, Tg2SEP0VQY.csBase64 encoded string: 'SzRAGbZfRW87GpDPTl6mYEdbGfHmbd6JT8oXbLaCaPJUcaAsf9vKKT8j13Ll', 'Mmzvsz5iwN6SLMMKvoVq6bCvZ6zTLOGhh47HaUORTznXMf7m9KaaKbWOZAGC', 'oV4ybiASD8y8LfP6lpUhFYGdS5UnHdm9yChGpzgOKlWhOaCZGbW0YwwomZAG', 'Wzk43dKfG1Ppjd7Je6pU1IK3o32BGizMbgxzVDCLX7WuAfemwOMWLLtJoVQ8', 'xhJXDzNieJxeeUgR2BOUJPpCokeZ9qXSNCMZ6JfOKgEQh46uLI1q8gykPv1j', 'VRsFeUe66XUj0ePqNBTFK89VJLU9WOWbQ6i42016cF5JGYigEncqNA66SZUG', 'VXsWhjt6xyy5IYkdIw89Xr9PQnaI5oZrnBEurRSzdkMYP9LjFH1nkJVVbexD', 'yNVTM18qmFNBktGqtxKFli9xgDkichcjgfOicfyEeMjTc4EdR9blhTM14X2H', 'HKNoxdZgt0mRc1vKuuJ4J06LTfzFrxSOeXWazm92jqH60ofYrnJpAUvWx3L3', 'QV21QSgLRjNIQYlfp3OpYkqJcNEBWEBweGQQ9I1q22c2rc8otAbjs7MqFcTV', 'wK9Pztkryb9RhLB29J25ccWSu3RLvads6Q8T039aoJlQb0iB2P9mfaN6uliv', 'HnMlHzyYFkwda1FuphRZNHnw3WRCAlmGYihdC5xjH3ISX4ZbeAvt8nNT8gYw', 'w0NHNoVUyaAZPeRHPi0W5dAK4WqUsmmLcl1cGTMswGWfDmz800pmj2iYBL2c', 'yfqj3bbJq0sBowqtAh5Ma565il7sQLtQEQ6uAWnzxSWhvya1Pl6Al9ArOoWU', 'mk317UbueRKqoaLeU6QEOLcmSAnM1NGcbzqGTO6gKpX1zEoT5HX05W0L1Uoj'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csBase64 encoded string: 'v9mb9RpVrBE7RDaZZSlVasGbjcVsh5usrfttbXqlgeJyDqdY7cTE2drMR17nvl52fHF5OTPzoyAD9uyH8hwJh9nnne6C', 'sTKUegd6TpziDRxcoIzFv0BJOXNElQ9ZIpYxUFoWs2pQcwvHZ8GRKK5vXXJQB73pBHiVBpX3NNRfjEw4DlGkkZJpqTmY', 'MSmlZMaIU7cagZJvS85lg9zJNBfmNadSV9rvEhajFn7HmNlf5RSq7LIlLR17d0zoxBYpAnlBElZRNKb6sY7PSUOwcgq8', 'iWTpiqA8Xj8vLbi8hQL7UiXhxxev7FsVcOX1my0mhYYIU13dVspHefR4O5juQz61r6JHgNgsqb4NdzBcwHhyyFrO0r8J', 'vHyY0aBSMHEExVeyJXpynUyqZuACd4VQp3WcOk5lh71s5GEdqr8SyBHquZeZXQB8RB5RugZhZmZrNiEBHtN5j38hUwjF', 'pyNITOUQ3ksF4wmIkok3A5BCeUcw8TVzDpWAy3h3bMYyG0v1JdAc47MnLUKAUmGwdDGE0u170UeE3EMZOKBNyQ1jEUfQ', 'X9wex5y9GnKMDDs2F07JPjvRFfUmBBwDgCT0g1B4MFHupra8FLjnPmrbMkiLeEYVwfdrK5CMwLjF6gbJpfkp6SPZOa5h'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csBase64 encoded string: 'pCqflRx1rdKp8BCVhngIhLeuZVYFpAcvMO6hjX5dIMKNl1gm9Q1Jgwr5sU2f4lpqQeqB97df83qBtJxCzv0U8DZWCo85'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, OPQSObGEdF.csBase64 encoded string: 'RMWzTVi3Qn2g0BNzSMsRPquCDIC9rga75Gk7iF91H0N9YKINnVoR3zLVkpsZxQ9ExYuWbEg2hz1FA5TZ3wWo2Y6P7uKR', 'nfpBNoNEeEqIg0AuRrroLcpbzjuosrtDMeYp3cOSkk03XFsfxifPWkeGzNgHPQbCpmZjCiIi2pJVZ3NOMSqRRhtvO08d', 'GqNK6Y1mMYvDVzVASSPOKqbpGIizl5M7kp0YF0qQn8kEq1wq25zMNhfIFjck90TbgZfHlzZx2sQRDXWc92hBHfZazCrk'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, AhV9cITdXv.csBase64 encoded string: 'Id2Rlq0bMyrMvmKMy9Hr0SpA7pjax9NcrH6ko5R6iNreT2VFvbpd8BUXaRJp'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.csBase64 encoded string: 'YpChdJUzj78mlSIIrAPZg71blMMWyS4heKalax9ysig4rslGusL5UOBlg7hJ', 'KPrG7v6iToVv5eokwYpMDJoliNVPXMVCoPiq35deyGOLVbT0VPYgN4J3vJ3R', 'Kn3MjRnALfYYy88AxYxk50IbpqSQy8fk4L1KHkrKOBUCTPjlLcZDqyQIQD77', 'IZodmP7LUAI0C2Pom6YCorxLt8nFONEH3iXaHPHRIfkZNfeDdzKtkVLnZvkL', 'YA3PKorzoKQpSBINQLV4PbSaFrEoAAY0KYkhXXzBLlN88vZZakoWUF3dzCtq', 'RAvxA7r4GZOPoDyRiVX3GnmTjUlesViKv9uLXvJE4yRiPTRgwEdblPX2AwJI', 'tLpbn4h4dOia2QDYqaZRWDdF7zgdC0P2bCuNN5EwO5WaRgH50AqhWCICRm5S', 'QfetLAmJpkpRhQOOF8kDZI9jIWRrAfh7dKOJ2LFQrgf7ny7VmgYk6AcXEfhd'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, tiWHr4oL6x.csBase64 encoded string: 'H25jbxpjW25c0ZiUrQn1jcJHNJIsFSv9GY1VqM7tX8KvOYe9486CAsg8vGyj', 'xgxETpH56RuE3gfpYeTgQNPU6lWgTqszdVjtLZNq4M0kgNfoW4rCP0k1VshK'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, wHUoYuStNT.csBase64 encoded string: 'TSzKwKTH65Vvqq35exOuDv6wGfK054sDVjDg4Zu4yB1xRavxiDDPrmTL3HZs', 'hga8ivnVfNF4AFRYDS6Q0YkFgGbmCzHHTPEiOgt3xqAWHD0linjFE5lMr7Cm', 'lSIJI6jVWDk05FfmWqSYz2NXXF0k8dnDgbVMcHlyBc3vK5cIviESTDWCZ0Nb', 'ItLfVWSOgRIuDEX90nulHK3yKn1JIaxOAqL1rC1RaILoWPrHqVz6UvIrdSxS', 'o8ZvL2DDxYuFiF33pyB5gTOJQCtldFQAUncWA6Pm2VJYjm670TbflAKg4A1V', 'jn96YmXwqIuDgAyxjPnkx7fgGO1fgI7XmqwFXDqQp74ZPijTz7KWFUl02uYPDo9rmMYRU8612T2X8LiNb5XgZ6UcXAyA', 'kEAHdMshu3AJAZig6CpRM0yAiphVjJdgWYEmAD3iXQpKvCgnGasxDsp2JSq8dRSZAhXPT5FmXJuS42QnPamgSkDFxlmM', 'ptJkt6r8N0dirVrfyXBqLSo4op4zrOy1vzdybx0PKoIZFLQNgsYF8pQkhtfhKNkL4ULh1VBs2foV7B0FaEBkuSRGw5TW', 'MQKYhoqJT8yqqMZD5e3BGdbY26Priy1ve9MWFvzFKSCdrPvWTdVegFSccX8m5Cm5seZBhRzVidBZts9csSnniF1Is9PA', 'McPLR0iu5mC2jVkdtWEUo6sP6BRWKVSCVIy52Jjrj7OnK8CTv9PVVgY9ky13S5ZknyfXaVQZncy0b6CyzBeV9vruj6bX', 'UQnuQbFElcEKCGng7yYTf6V5CGLMFZAcZLOI82EPHDGhGWjkEB32Znj5UgThpSNrv1z3sM5V9eCcBrKBEN9RDnqWpU0t', 'q6O7Vlf3FrzMbmW3ahTqWmOxSgS1uN8JcMTFQ4jy6wkgTkXTcGuY0TamiqxYnssHSNQp0EFaH8Ib5reommrlTKhNjvyX', 'zb78JyDHMORsh2I1lsBkDCCHWoz5TSuenCS9r07r5GsUd7Wj2BdPC7yzZhxfwHpFlb7ZBsdHM4pBbZ3qmNSqbamKWRPd', 'qnlJfxaQoO7FjUT82yNTkMiMx8CkR1AekpVA0g2SPoWqgoXLvIDJOc0FYsaDxlOIlSbAB61sHiXPXXSufzV5wQNUGAma'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, Tg2SEP0VQY.csBase64 encoded string: 'SzRAGbZfRW87GpDPTl6mYEdbGfHmbd6JT8oXbLaCaPJUcaAsf9vKKT8j13Ll', 'Mmzvsz5iwN6SLMMKvoVq6bCvZ6zTLOGhh47HaUORTznXMf7m9KaaKbWOZAGC', 'oV4ybiASD8y8LfP6lpUhFYGdS5UnHdm9yChGpzgOKlWhOaCZGbW0YwwomZAG', 'Wzk43dKfG1Ppjd7Je6pU1IK3o32BGizMbgxzVDCLX7WuAfemwOMWLLtJoVQ8', 'xhJXDzNieJxeeUgR2BOUJPpCokeZ9qXSNCMZ6JfOKgEQh46uLI1q8gykPv1j', 'VRsFeUe66XUj0ePqNBTFK89VJLU9WOWbQ6i42016cF5JGYigEncqNA66SZUG', 'VXsWhjt6xyy5IYkdIw89Xr9PQnaI5oZrnBEurRSzdkMYP9LjFH1nkJVVbexD', 'yNVTM18qmFNBktGqtxKFli9xgDkichcjgfOicfyEeMjTc4EdR9blhTM14X2H', 'HKNoxdZgt0mRc1vKuuJ4J06LTfzFrxSOeXWazm92jqH60ofYrnJpAUvWx3L3', 'QV21QSgLRjNIQYlfp3OpYkqJcNEBWEBweGQQ9I1q22c2rc8otAbjs7MqFcTV', 'wK9Pztkryb9RhLB29J25ccWSu3RLvads6Q8T039aoJlQb0iB2P9mfaN6uliv', 'HnMlHzyYFkwda1FuphRZNHnw3WRCAlmGYihdC5xjH3ISX4ZbeAvt8nNT8gYw', 'w0NHNoVUyaAZPeRHPi0W5dAK4WqUsmmLcl1cGTMswGWfDmz800pmj2iYBL2c', 'yfqj3bbJq0sBowqtAh5Ma565il7sQLtQEQ6uAWnzxSWhvya1Pl6Al9ArOoWU', 'mk317UbueRKqoaLeU6QEOLcmSAnM1NGcbzqGTO6gKpX1zEoT5HX05W0L1Uoj'
                    Source: FluxusV1.2.2.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csBase64 encoded string: 'v9mb9RpVrBE7RDaZZSlVasGbjcVsh5usrfttbXqlgeJyDqdY7cTE2drMR17nvl52fHF5OTPzoyAD9uyH8hwJh9nnne6C', 'sTKUegd6TpziDRxcoIzFv0BJOXNElQ9ZIpYxUFoWs2pQcwvHZ8GRKK5vXXJQB73pBHiVBpX3NNRfjEw4DlGkkZJpqTmY', 'MSmlZMaIU7cagZJvS85lg9zJNBfmNadSV9rvEhajFn7HmNlf5RSq7LIlLR17d0zoxBYpAnlBElZRNKb6sY7PSUOwcgq8', 'iWTpiqA8Xj8vLbi8hQL7UiXhxxev7FsVcOX1my0mhYYIU13dVspHefR4O5juQz61r6JHgNgsqb4NdzBcwHhyyFrO0r8J', 'vHyY0aBSMHEExVeyJXpynUyqZuACd4VQp3WcOk5lh71s5GEdqr8SyBHquZeZXQB8RB5RugZhZmZrNiEBHtN5j38hUwjF', 'pyNITOUQ3ksF4wmIkok3A5BCeUcw8TVzDpWAy3h3bMYyG0v1JdAc47MnLUKAUmGwdDGE0u170UeE3EMZOKBNyQ1jEUfQ', 'X9wex5y9GnKMDDs2F07JPjvRFfUmBBwDgCT0g1B4MFHupra8FLjnPmrbMkiLeEYVwfdrK5CMwLjF6gbJpfkp6SPZOa5h'
                    Source: FluxusV1.2.2.dr, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csBase64 encoded string: 'pCqflRx1rdKp8BCVhngIhLeuZVYFpAcvMO6hjX5dIMKNl1gm9Q1Jgwr5sU2f4lpqQeqB97df83qBtJxCzv0U8DZWCo85'
                    Source: FluxusV1.2.2.dr, OPQSObGEdF.csBase64 encoded string: 'RMWzTVi3Qn2g0BNzSMsRPquCDIC9rga75Gk7iF91H0N9YKINnVoR3zLVkpsZxQ9ExYuWbEg2hz1FA5TZ3wWo2Y6P7uKR', 'nfpBNoNEeEqIg0AuRrroLcpbzjuosrtDMeYp3cOSkk03XFsfxifPWkeGzNgHPQbCpmZjCiIi2pJVZ3NOMSqRRhtvO08d', 'GqNK6Y1mMYvDVzVASSPOKqbpGIizl5M7kp0YF0qQn8kEq1wq25zMNhfIFjck90TbgZfHlzZx2sQRDXWc92hBHfZazCrk'
                    Source: FluxusV1.2.2.dr, AhV9cITdXv.csBase64 encoded string: 'Id2Rlq0bMyrMvmKMy9Hr0SpA7pjax9NcrH6ko5R6iNreT2VFvbpd8BUXaRJp'
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.csBase64 encoded string: 'YpChdJUzj78mlSIIrAPZg71blMMWyS4heKalax9ysig4rslGusL5UOBlg7hJ', 'KPrG7v6iToVv5eokwYpMDJoliNVPXMVCoPiq35deyGOLVbT0VPYgN4J3vJ3R', 'Kn3MjRnALfYYy88AxYxk50IbpqSQy8fk4L1KHkrKOBUCTPjlLcZDqyQIQD77', 'IZodmP7LUAI0C2Pom6YCorxLt8nFONEH3iXaHPHRIfkZNfeDdzKtkVLnZvkL', 'YA3PKorzoKQpSBINQLV4PbSaFrEoAAY0KYkhXXzBLlN88vZZakoWUF3dzCtq', 'RAvxA7r4GZOPoDyRiVX3GnmTjUlesViKv9uLXvJE4yRiPTRgwEdblPX2AwJI', 'tLpbn4h4dOia2QDYqaZRWDdF7zgdC0P2bCuNN5EwO5WaRgH50AqhWCICRm5S', 'QfetLAmJpkpRhQOOF8kDZI9jIWRrAfh7dKOJ2LFQrgf7ny7VmgYk6AcXEfhd'
                    Source: FluxusV1.2.2.dr, tiWHr4oL6x.csBase64 encoded string: 'H25jbxpjW25c0ZiUrQn1jcJHNJIsFSv9GY1VqM7tX8KvOYe9486CAsg8vGyj', 'xgxETpH56RuE3gfpYeTgQNPU6lWgTqszdVjtLZNq4M0kgNfoW4rCP0k1VshK'
                    Source: FluxusV1.2.2.dr, wHUoYuStNT.csBase64 encoded string: 'TSzKwKTH65Vvqq35exOuDv6wGfK054sDVjDg4Zu4yB1xRavxiDDPrmTL3HZs', 'hga8ivnVfNF4AFRYDS6Q0YkFgGbmCzHHTPEiOgt3xqAWHD0linjFE5lMr7Cm', 'lSIJI6jVWDk05FfmWqSYz2NXXF0k8dnDgbVMcHlyBc3vK5cIviESTDWCZ0Nb', 'ItLfVWSOgRIuDEX90nulHK3yKn1JIaxOAqL1rC1RaILoWPrHqVz6UvIrdSxS', 'o8ZvL2DDxYuFiF33pyB5gTOJQCtldFQAUncWA6Pm2VJYjm670TbflAKg4A1V', 'jn96YmXwqIuDgAyxjPnkx7fgGO1fgI7XmqwFXDqQp74ZPijTz7KWFUl02uYPDo9rmMYRU8612T2X8LiNb5XgZ6UcXAyA', 'kEAHdMshu3AJAZig6CpRM0yAiphVjJdgWYEmAD3iXQpKvCgnGasxDsp2JSq8dRSZAhXPT5FmXJuS42QnPamgSkDFxlmM', 'ptJkt6r8N0dirVrfyXBqLSo4op4zrOy1vzdybx0PKoIZFLQNgsYF8pQkhtfhKNkL4ULh1VBs2foV7B0FaEBkuSRGw5TW', 'MQKYhoqJT8yqqMZD5e3BGdbY26Priy1ve9MWFvzFKSCdrPvWTdVegFSccX8m5Cm5seZBhRzVidBZts9csSnniF1Is9PA', 'McPLR0iu5mC2jVkdtWEUo6sP6BRWKVSCVIy52Jjrj7OnK8CTv9PVVgY9ky13S5ZknyfXaVQZncy0b6CyzBeV9vruj6bX', 'UQnuQbFElcEKCGng7yYTf6V5CGLMFZAcZLOI82EPHDGhGWjkEB32Znj5UgThpSNrv1z3sM5V9eCcBrKBEN9RDnqWpU0t', 'q6O7Vlf3FrzMbmW3ahTqWmOxSgS1uN8JcMTFQ4jy6wkgTkXTcGuY0TamiqxYnssHSNQp0EFaH8Ib5reommrlTKhNjvyX', 'zb78JyDHMORsh2I1lsBkDCCHWoz5TSuenCS9r07r5GsUd7Wj2BdPC7yzZhxfwHpFlb7ZBsdHM4pBbZ3qmNSqbamKWRPd', 'qnlJfxaQoO7FjUT82yNTkMiMx8CkR1AekpVA0g2SPoWqgoXLvIDJOc0FYsaDxlOIlSbAB61sHiXPXXSufzV5wQNUGAma'
                    Source: FluxusV1.2.2.dr, Tg2SEP0VQY.csBase64 encoded string: 'SzRAGbZfRW87GpDPTl6mYEdbGfHmbd6JT8oXbLaCaPJUcaAsf9vKKT8j13Ll', 'Mmzvsz5iwN6SLMMKvoVq6bCvZ6zTLOGhh47HaUORTznXMf7m9KaaKbWOZAGC', 'oV4ybiASD8y8LfP6lpUhFYGdS5UnHdm9yChGpzgOKlWhOaCZGbW0YwwomZAG', 'Wzk43dKfG1Ppjd7Je6pU1IK3o32BGizMbgxzVDCLX7WuAfemwOMWLLtJoVQ8', 'xhJXDzNieJxeeUgR2BOUJPpCokeZ9qXSNCMZ6JfOKgEQh46uLI1q8gykPv1j', 'VRsFeUe66XUj0ePqNBTFK89VJLU9WOWbQ6i42016cF5JGYigEncqNA66SZUG', 'VXsWhjt6xyy5IYkdIw89Xr9PQnaI5oZrnBEurRSzdkMYP9LjFH1nkJVVbexD', 'yNVTM18qmFNBktGqtxKFli9xgDkichcjgfOicfyEeMjTc4EdR9blhTM14X2H', 'HKNoxdZgt0mRc1vKuuJ4J06LTfzFrxSOeXWazm92jqH60ofYrnJpAUvWx3L3', 'QV21QSgLRjNIQYlfp3OpYkqJcNEBWEBweGQQ9I1q22c2rc8otAbjs7MqFcTV', 'wK9Pztkryb9RhLB29J25ccWSu3RLvads6Q8T039aoJlQb0iB2P9mfaN6uliv', 'HnMlHzyYFkwda1FuphRZNHnw3WRCAlmGYihdC5xjH3ISX4ZbeAvt8nNT8gYw', 'w0NHNoVUyaAZPeRHPi0W5dAK4WqUsmmLcl1cGTMswGWfDmz800pmj2iYBL2c', 'yfqj3bbJq0sBowqtAh5Ma565il7sQLtQEQ6uAWnzxSWhvya1Pl6Al9ArOoWU', 'mk317UbueRKqoaLeU6QEOLcmSAnM1NGcbzqGTO6gKpX1zEoT5HX05W0L1Uoj'
                    Source: FluxusV1.2.2.dr, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: FluxusV1.2.2.dr, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: XClient.exe.0.dr, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: XClient.exe.0.dr, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, Tg2SEP0VQY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@22/13@4/5
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeMutant created: \Sessions\1\BaseNamedObjects\I32nKqSRzWhs8X6jy
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\mrQwLieiU5CPBIXL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3344:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7616
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: IM3OLcx7li.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: IM3OLcx7li.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: IM3OLcx7li.exeReversingLabs: Detection: 60%
                    Source: unknownProcess created: C:\Users\user\Desktop\IM3OLcx7li.exe "C:\Users\user\Desktop\IM3OLcx7li.exe"
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess created: C:\Users\user\AppData\Roaming\Bootstrapper.exe "C:\Users\user\AppData\Roaming\Bootstrapper.exe"
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7616 -s 2192
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess created: C:\Users\user\AppData\Roaming\Bootstrapper.exe "C:\Users\user\AppData\Roaming\Bootstrapper.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: FluxusV1.lnk.2.drLNK file: ..\..\..\..\..\FluxusV1.2
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: IM3OLcx7li.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: IM3OLcx7li.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: m.pdbL source: Bootstrapper.exe, 00000003.00000002.1606384666.0000026C3E970000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Data.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdbq source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C263BD000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.pdb source: Bootstrapper.exe, 00000003.00000002.1604700477.0000026C263BD000.00000004.00000800.00020000.00000000.sdmp, WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Data.pdbH source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Core.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.pdbp source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\System.pdbm source: Bootstrapper.exe, 00000003.00000002.1606384666.0000026C3E952000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Numerics.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdb source: WERBD56.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERBD56.tmp.dmp.14.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: XClient.exe.0.dr, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IPxnaeCqqP.v97gofGop8,IPxnaeCqqP._2K51bvSoES,IPxnaeCqqP.A8uXmUk0jQ,IPxnaeCqqP._4RLVsYH0YO,BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.b3zl4uRwwY6ukR7b6bzhUvW0EySBBzqEzmRW5goEyh()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.0.dr, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Kvi3w5OZF2[2],BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2._8lDetZwdnyadMSUexUYebaovugM37JspOQsiO2VXlD(Convert.FromBase64String(Kvi3w5OZF2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IPxnaeCqqP.v97gofGop8,IPxnaeCqqP._2K51bvSoES,IPxnaeCqqP.A8uXmUk0jQ,IPxnaeCqqP._4RLVsYH0YO,BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.b3zl4uRwwY6ukR7b6bzhUvW0EySBBzqEzmRW5goEyh()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Kvi3w5OZF2[2],BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2._8lDetZwdnyadMSUexUYebaovugM37JspOQsiO2VXlD(Convert.FromBase64String(Kvi3w5OZF2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IPxnaeCqqP.v97gofGop8,IPxnaeCqqP._2K51bvSoES,IPxnaeCqqP.A8uXmUk0jQ,IPxnaeCqqP._4RLVsYH0YO,BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.b3zl4uRwwY6ukR7b6bzhUvW0EySBBzqEzmRW5goEyh()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Kvi3w5OZF2[2],BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2._8lDetZwdnyadMSUexUYebaovugM37JspOQsiO2VXlD(Convert.FromBase64String(Kvi3w5OZF2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IPxnaeCqqP.v97gofGop8,IPxnaeCqqP._2K51bvSoES,IPxnaeCqqP.A8uXmUk0jQ,IPxnaeCqqP._4RLVsYH0YO,BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.b3zl4uRwwY6ukR7b6bzhUvW0EySBBzqEzmRW5goEyh()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Kvi3w5OZF2[2],BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2._8lDetZwdnyadMSUexUYebaovugM37JspOQsiO2VXlD(Convert.FromBase64String(Kvi3w5OZF2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: XClient.exe.0.dr, lwCMFX9W8i.cs.Net Code: _2VoyIVV9D3 System.AppDomain.Load(byte[])
                    Source: XClient.exe.0.dr, lwCMFX9W8i.cs.Net Code: TInrtXcXfH System.AppDomain.Load(byte[])
                    Source: XClient.exe.0.dr, lwCMFX9W8i.cs.Net Code: TInrtXcXfH
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.cs.Net Code: _2VoyIVV9D3 System.AppDomain.Load(byte[])
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.cs.Net Code: TInrtXcXfH System.AppDomain.Load(byte[])
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.cs.Net Code: TInrtXcXfH
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.cs.Net Code: _2VoyIVV9D3 System.AppDomain.Load(byte[])
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.cs.Net Code: TInrtXcXfH System.AppDomain.Load(byte[])
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.cs.Net Code: TInrtXcXfH
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.cs.Net Code: _2VoyIVV9D3 System.AppDomain.Load(byte[])
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.cs.Net Code: TInrtXcXfH System.AppDomain.Load(byte[])
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.cs.Net Code: TInrtXcXfH
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeCode function: 0_2_00007FFB4B0400BD pushad ; iretd 0_2_00007FFB4B0400C1
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B062CAD push E95AF54Fh; ret 2_2_00007FFB4B062D79
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B0600BD pushad ; iretd 2_2_00007FFB4B0600C1
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 2_2_00007FFB4B06253D push E95DA13Bh; retf 2_2_00007FFB4B062589
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeCode function: 3_2_00007FFB4B06D668 push ss; retf 3_2_00007FFB4B06D837
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeCode function: 3_2_00007FFB4B06A272 push ebx; retf 3_2_00007FFB4B06A282
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeCode function: 3_2_00007FFB4B0500BD pushad ; iretd 3_2_00007FFB4B0500C1
                    Source: IM3OLcx7li.exeStatic PE information: section name: .text entropy: 7.997895898511622
                    Source: IM3OLcx7li.exe, 2vQWjXXJimRWbe79pCEPet6wDiJk73.csHigh entropy of concatenated method names: '_7K3A5VH6nvC96kiWeqa2dEPS7Lyiar', 'vEc3phBV0xTGPymHbsnf8Jp6CdqH5N', 'wFypMbbeJPaHTLGbEbp6TXaqiu4GTi', 'zy34NsEwZSTfRBRVYkgMz8fMVuGPQJ', 'ZpbTJXMaJBpyDJQCSx43xH43X7bauP', 'PizAeFhfRLK6ruDaejixbdwr0fNd7f', 'I9IJteLd20TRgmY3ZZ6Q5zOCTbg44N', 'Hbb7xdrnXU1NRn7GifkpuprdagsCig', 'nujBmSsf3Y4DzpdseUwCOz3iyzvgHu', 'xJEj6MNlvukW5WHSInQ3N1xTSlVyrC'
                    Source: IM3OLcx7li.exe, RjlBKnJ82IkA1hZF7RVGlb1CXo9XQL22AAU4jSsKnOTSeRZr8rlLtRsECJ2ul70G9kNoejElNqoG6CBFgoVY6i08.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'aDEDaq1xkOkD1evi8zBws4VoFmGWFy', '_5lasQrdv5DF7KJDqiMte3r7d9eLn7d', 'YpafLBVZ6cjWWkTTi6fBaazkQ8fD0j', 'XB0mXGHojzurglzwU6wY16kpsVO9AY'
                    Source: XClient.exe.0.dr, tcUBuJyp0kuY1K9nNfoDVKWb3Y2iLNMkOSt18PAfuw.csHigh entropy of concatenated method names: '_78AiBUnam0GXHIT2bUMaKPAPIxPeU3UzjHu1oVTBil', 'S5EqkR7mqWtZ6a5IDp7TyK6CW3zUveXII7p6hex5lf', '_74w4J0jQDQeaRheGhODj7J1orXj4aECV0HLwttilZo', 'jDQGzjrRie4pj7FGNp4hm5dA5PzQfrv1DC', 'gzkt1ZlpKxQH7e4CLzdmKnsGr0Kmr4Ho1Q', 'EJDoh3Fp8n9GMS1oujFXICK3NrYzvmKh0N', 'vOAEQwOFwYSdQUK0FVtj1aKcE6b5N8Au1s', 'NDYjrCSkmSWsEp4NPUsRvzWoqafPR5ZG8I', 'bmyc4xo5965cxDCPFgLgx5JY70onYeDK09', 'EXF47bzkH5BvDNhPHWf85AlU9CYbDjoNIZ'
                    Source: XClient.exe.0.dr, IPxnaeCqqP.csHigh entropy of concatenated method names: 'kpOZ4Lt4gwgG6jEol4HErnvw3jlMytzzSEomBshznzBJFIbGZTAkLj08A5mEy3u7GX3vJ7ITpZv', 'XgYRkUjXMkKuRfYYgwrHeeyxxxx3GARfl4k2nt4TXKJFY0CueIhIZwTeZJVQab1GUIwiEddVsDm', 'dCKcADEnm1pgzEZ5NF2thGG6DPKmDQv4IuI1FfjvArWHP1gQ6ujRNDpOx6cz6DA7sO1CsCud5D5', 'N8pW5VnFzT01TiSEcaePj6duYoBWruMXXWHmpX4fEZXMLwpvNaghyN3r4sf8CByvMW8UUdFhXQX'
                    Source: XClient.exe.0.dr, T2rJptLwPG.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'J5IuNcupU83hvhiYvCxejrODgOXDKiIt7Wo8MFlP3YlHZS0AOgnpUtSpXbu6WtrvinKESr8PxuB', 'iCGZZL3rRFfoAbUpnBPykINaEAIVpbYZaPiQp2G45DCXM4m4yAEGHVf13HLiz1sfTN9cKa5Shcb', 'LnzIZCzISJljIBEHkkvvj5TVblFTJjCsy62eN2gaaDhcbXJW99vBTe6eop1mKmh97mZdQz5zd7Y', 'zc25bB6Wlur92PeZxEqWzpDfU0k2b4mb1pNeTVqJyxsykZ43HoPI4Fjkakif7N0lC0occwwDgEv'
                    Source: XClient.exe.0.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csHigh entropy of concatenated method names: '_2EqnGlerJ95QK3dN35ozNwI92clP197L7qaRx4MDix', 'M3end8FIGZ4KT9P4OIrkI7lOY6uefbu1knvCiaLTQZ', 'UB86svJ6sgtJNB4AX0IWib65Z7cmqCtOCG5soF6aQE', 'WavXTkBJsA5bacGyLGwWX8bYuUY8HnU31HV7GzkR1x', 'm8FIqM5LYq2Y7u9ojLyVPnZIfEQU88ZNPNfut9nSco', 'NyR9EmAuCCsrvWQ2lS4ldaRaqXBCTYvod4gLhwfRCV', 'mvmTNdUQ0549BZn400UDatdRrwzfXd0cRQ1mmtRptI', 'eoarsbfcp1vPsD4LkP3IV1J6LH32YSojYKOBlcjB96', 'htrsTOU8XXNN899rADQLEIjZWCoQ9KkC03317eVYu3', 'c1FnzvrNrNJHwStR1vWzpcERrsPMA1JM6ryRFHarKc'
                    Source: XClient.exe.0.dr, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csHigh entropy of concatenated method names: '_4waLpMAEzWeRir3qWytT5PnoT1PSwwTtuxqYfoZyd1', '_5ZjYoZLsOvyaZnbzfGGrtQwo9hC0G6TOBapJUiPH6xMp2E8MC392OfI9CeHhdSJ8Ky2okhTvjf6BUJdUUn2pqdKeIfz4', '_0jFaZDkAojeMl3nP3zTPKOpbOk1CtRPnKqpDdZMTyiUMoao9E5PErOa20Cl0qVdxVGSheOiCLJRCjsxomRPIWeueIqBg', 's7C7nFoNrPXr2q7svwhZVbdnj6n97gS3myIPXuYNBdZZpsbhxG08ymk9tFGUk2zTIb0bFVJGMrtARtQNBnNX7lo1C5ZB', 'oiJ1zkP8qZe40ZQ5d6zU6mKGGHiMmy78gP2EFcctnwnFFHACJOQXOQsGclrcs1ruQHwj2SOYuYY93Dt9Y5d5j9DCOcMS'
                    Source: XClient.exe.0.dr, OPQSObGEdF.csHigh entropy of concatenated method names: 'nLxMkeOnhK', 'RrCIK2qlvps70cb2JD1lTEMJ09kzPxMTokjndb2YUg', 'EtzlqS3tZnwyUpZBJiMJhkmGhlpIgvnw0tWIpUToRK', 'fyKZSWca3YMdQ3kwNZe7sRlLHTPvnfDvnovTVKJVJo', 'GwaTytUCxvQPOK34A5vtH3rATveCM4blqOT4NbHhDn8lB62M6Z2OPnTz0LrlHn05MBRuZdr9XWEFhwC8LEC9KOXBWxXL', 'RId9W2xGdGQqJEAQ3oYj2A0IfHcdf3R8CKnHeGPjoLbtkDq2SeLTGjhYmF3U3zmw1kuwfFUWAKFVMgcgnz9wYoIsYD0C', 'IoJCdaApHn7iNflgF4clCmWKyCkzMKB5maKWfmCt1R6Dtr1uEuT7yQqJsy4s3t9VxBiTr0ZYzei0iSYBup8ZBJxPAOJJ', '_3TH0r03vlIN10OAfgMsthv96KEIC0woj09b5bKAQVuOHZht39AafLFzsAEV1Foz4v7vq8gQZ9Tp5HSIMarSTbVBqRlCS', 'YXAG4k8tLMvVT9gW7Dmy24WKjHpWUUTSlKj2lB9I15dvtzVvuNg0BUuk5FsqtZpBwswINpzgh5SfKed3NfVrntTxfe79', 'UuZlKO76R6ZxpWqCSkFtb7bxuSKMtyCkazEFfLs6zOXKrFjQ1xuPhmazxwJRujFetS6T1W5ev2krq7gex46QwhgKBHrw'
                    Source: XClient.exe.0.dr, AhV9cITdXv.csHigh entropy of concatenated method names: 'o66L9pVmf6', 'F2L0T4ReRRIYxR6AV87g98WDezmBJKQMtYCUBrolWftJxApx1vdZy6cDOTBM', 'eEHGXaV3WChdB3RyVXydCxEyQ3QZHz1FJxnbQcJJ0mQxHVKFaq8gDsvyynon', 'Hn4JvYR4SN1pAM9mzmo6W75hN9b4ZTwnLkopcGIfcSgeu0VDg52rKwo91WSK', 'RDIH21FTGzFpOsa7QsLwTAglGPOYNnaFxRK1xZ4c3cZckHXWYk6HR4ap37v7'
                    Source: XClient.exe.0.dr, lwCMFX9W8i.csHigh entropy of concatenated method names: 'SqZ5p8959e', '_2VoyIVV9D3', '_0RRX4Y5ycE', 'VcfrjE5JxA', '_1AmYyyaDVS', 'ugEYsiFbng', 'VBsPu5NYEX', 'iw5eT8lnQx', 'fZztcJinWH', 'yBH6HZQOkT'
                    Source: XClient.exe.0.dr, tiWHr4oL6x.csHigh entropy of concatenated method names: 'BBCX1lsSLM', 'ZWeRD6vsad', 'qrar9acQxn', 'whhd0lUifU', '_1GwOXv9cI0JjJShOAumvZeKIpwFKr3qvLhRmRNE6l1W3bvOR8FsQJTjCjjiQ9OsPk0ZjreRnQC3', 'PLOU9UQCsvkN6CG2GzHRlW4OqPPakakwEe5Sj6qhWK1vviqWNrGJYuSGqAwo', 'WRjWOmJZYIVxPkp79zEy6DDpqgo5xM5gaFx6PckgCrsKtorwYvuS2Pj99EUc', '_2bOmzBFS7qG56yPgkL6vb4D9U0YWqsNkhddZsZoQK3HsBmwNgdiurVp8reWB', 'cOI1T4oDoT6aTxDIzHQC6f3eGQ88GazQDbgmUmgStJxEuZwlqh4hU0F5fDOB', 'IINVuPw0fslgm8QAlbADV1iMx4mGNaJS9G6gLPgQMAwDnMpSLuGYcrI3Ural'
                    Source: XClient.exe.0.dr, wHUoYuStNT.csHigh entropy of concatenated method names: 'gKavcLYxB2', 'Ysj6ITnkWo', 'BWogeR5NM0', 'aNLHHkHuTj', '_94irga28Sf', 'pYvsbJzF9x', 'Q1VPVic2ED', 'EpVhXBCX0T', 'MJnGzoScGj', 'iJbM0C3tUS'
                    Source: XClient.exe.0.dr, Tg2SEP0VQY.csHigh entropy of concatenated method names: '_7lJn1gsbhw', 'gwfwc4IgTH', 'niAJutz802', 'Hg5bc2RT5N', 'GcJ7OYHwP7', 'ocfBZU5brU', 'FUZFHDznAL', 'gubihUXUoM', 'nYGikdb4Tx', 'C5DdPW80RG'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, tcUBuJyp0kuY1K9nNfoDVKWb3Y2iLNMkOSt18PAfuw.csHigh entropy of concatenated method names: '_78AiBUnam0GXHIT2bUMaKPAPIxPeU3UzjHu1oVTBil', 'S5EqkR7mqWtZ6a5IDp7TyK6CW3zUveXII7p6hex5lf', '_74w4J0jQDQeaRheGhODj7J1orXj4aECV0HLwttilZo', 'jDQGzjrRie4pj7FGNp4hm5dA5PzQfrv1DC', 'gzkt1ZlpKxQH7e4CLzdmKnsGr0Kmr4Ho1Q', 'EJDoh3Fp8n9GMS1oujFXICK3NrYzvmKh0N', 'vOAEQwOFwYSdQUK0FVtj1aKcE6b5N8Au1s', 'NDYjrCSkmSWsEp4NPUsRvzWoqafPR5ZG8I', 'bmyc4xo5965cxDCPFgLgx5JY70onYeDK09', 'EXF47bzkH5BvDNhPHWf85AlU9CYbDjoNIZ'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, IPxnaeCqqP.csHigh entropy of concatenated method names: 'kpOZ4Lt4gwgG6jEol4HErnvw3jlMytzzSEomBshznzBJFIbGZTAkLj08A5mEy3u7GX3vJ7ITpZv', 'XgYRkUjXMkKuRfYYgwrHeeyxxxx3GARfl4k2nt4TXKJFY0CueIhIZwTeZJVQab1GUIwiEddVsDm', 'dCKcADEnm1pgzEZ5NF2thGG6DPKmDQv4IuI1FfjvArWHP1gQ6ujRNDpOx6cz6DA7sO1CsCud5D5', 'N8pW5VnFzT01TiSEcaePj6duYoBWruMXXWHmpX4fEZXMLwpvNaghyN3r4sf8CByvMW8UUdFhXQX'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, T2rJptLwPG.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'J5IuNcupU83hvhiYvCxejrODgOXDKiIt7Wo8MFlP3YlHZS0AOgnpUtSpXbu6WtrvinKESr8PxuB', 'iCGZZL3rRFfoAbUpnBPykINaEAIVpbYZaPiQp2G45DCXM4m4yAEGHVf13HLiz1sfTN9cKa5Shcb', 'LnzIZCzISJljIBEHkkvvj5TVblFTJjCsy62eN2gaaDhcbXJW99vBTe6eop1mKmh97mZdQz5zd7Y', 'zc25bB6Wlur92PeZxEqWzpDfU0k2b4mb1pNeTVqJyxsykZ43HoPI4Fjkakif7N0lC0occwwDgEv'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csHigh entropy of concatenated method names: '_2EqnGlerJ95QK3dN35ozNwI92clP197L7qaRx4MDix', 'M3end8FIGZ4KT9P4OIrkI7lOY6uefbu1knvCiaLTQZ', 'UB86svJ6sgtJNB4AX0IWib65Z7cmqCtOCG5soF6aQE', 'WavXTkBJsA5bacGyLGwWX8bYuUY8HnU31HV7GzkR1x', 'm8FIqM5LYq2Y7u9ojLyVPnZIfEQU88ZNPNfut9nSco', 'NyR9EmAuCCsrvWQ2lS4ldaRaqXBCTYvod4gLhwfRCV', 'mvmTNdUQ0549BZn400UDatdRrwzfXd0cRQ1mmtRptI', 'eoarsbfcp1vPsD4LkP3IV1J6LH32YSojYKOBlcjB96', 'htrsTOU8XXNN899rADQLEIjZWCoQ9KkC03317eVYu3', 'c1FnzvrNrNJHwStR1vWzpcERrsPMA1JM6ryRFHarKc'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csHigh entropy of concatenated method names: '_4waLpMAEzWeRir3qWytT5PnoT1PSwwTtuxqYfoZyd1', '_5ZjYoZLsOvyaZnbzfGGrtQwo9hC0G6TOBapJUiPH6xMp2E8MC392OfI9CeHhdSJ8Ky2okhTvjf6BUJdUUn2pqdKeIfz4', '_0jFaZDkAojeMl3nP3zTPKOpbOk1CtRPnKqpDdZMTyiUMoao9E5PErOa20Cl0qVdxVGSheOiCLJRCjsxomRPIWeueIqBg', 's7C7nFoNrPXr2q7svwhZVbdnj6n97gS3myIPXuYNBdZZpsbhxG08ymk9tFGUk2zTIb0bFVJGMrtARtQNBnNX7lo1C5ZB', 'oiJ1zkP8qZe40ZQ5d6zU6mKGGHiMmy78gP2EFcctnwnFFHACJOQXOQsGclrcs1ruQHwj2SOYuYY93Dt9Y5d5j9DCOcMS'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, OPQSObGEdF.csHigh entropy of concatenated method names: 'nLxMkeOnhK', 'RrCIK2qlvps70cb2JD1lTEMJ09kzPxMTokjndb2YUg', 'EtzlqS3tZnwyUpZBJiMJhkmGhlpIgvnw0tWIpUToRK', 'fyKZSWca3YMdQ3kwNZe7sRlLHTPvnfDvnovTVKJVJo', 'GwaTytUCxvQPOK34A5vtH3rATveCM4blqOT4NbHhDn8lB62M6Z2OPnTz0LrlHn05MBRuZdr9XWEFhwC8LEC9KOXBWxXL', 'RId9W2xGdGQqJEAQ3oYj2A0IfHcdf3R8CKnHeGPjoLbtkDq2SeLTGjhYmF3U3zmw1kuwfFUWAKFVMgcgnz9wYoIsYD0C', 'IoJCdaApHn7iNflgF4clCmWKyCkzMKB5maKWfmCt1R6Dtr1uEuT7yQqJsy4s3t9VxBiTr0ZYzei0iSYBup8ZBJxPAOJJ', '_3TH0r03vlIN10OAfgMsthv96KEIC0woj09b5bKAQVuOHZht39AafLFzsAEV1Foz4v7vq8gQZ9Tp5HSIMarSTbVBqRlCS', 'YXAG4k8tLMvVT9gW7Dmy24WKjHpWUUTSlKj2lB9I15dvtzVvuNg0BUuk5FsqtZpBwswINpzgh5SfKed3NfVrntTxfe79', 'UuZlKO76R6ZxpWqCSkFtb7bxuSKMtyCkazEFfLs6zOXKrFjQ1xuPhmazxwJRujFetS6T1W5ev2krq7gex46QwhgKBHrw'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, AhV9cITdXv.csHigh entropy of concatenated method names: 'o66L9pVmf6', 'F2L0T4ReRRIYxR6AV87g98WDezmBJKQMtYCUBrolWftJxApx1vdZy6cDOTBM', 'eEHGXaV3WChdB3RyVXydCxEyQ3QZHz1FJxnbQcJJ0mQxHVKFaq8gDsvyynon', 'Hn4JvYR4SN1pAM9mzmo6W75hN9b4ZTwnLkopcGIfcSgeu0VDg52rKwo91WSK', 'RDIH21FTGzFpOsa7QsLwTAglGPOYNnaFxRK1xZ4c3cZckHXWYk6HR4ap37v7'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, lwCMFX9W8i.csHigh entropy of concatenated method names: 'SqZ5p8959e', '_2VoyIVV9D3', '_0RRX4Y5ycE', 'VcfrjE5JxA', '_1AmYyyaDVS', 'ugEYsiFbng', 'VBsPu5NYEX', 'iw5eT8lnQx', 'fZztcJinWH', 'yBH6HZQOkT'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, tiWHr4oL6x.csHigh entropy of concatenated method names: 'BBCX1lsSLM', 'ZWeRD6vsad', 'qrar9acQxn', 'whhd0lUifU', '_1GwOXv9cI0JjJShOAumvZeKIpwFKr3qvLhRmRNE6l1W3bvOR8FsQJTjCjjiQ9OsPk0ZjreRnQC3', 'PLOU9UQCsvkN6CG2GzHRlW4OqPPakakwEe5Sj6qhWK1vviqWNrGJYuSGqAwo', 'WRjWOmJZYIVxPkp79zEy6DDpqgo5xM5gaFx6PckgCrsKtorwYvuS2Pj99EUc', '_2bOmzBFS7qG56yPgkL6vb4D9U0YWqsNkhddZsZoQK3HsBmwNgdiurVp8reWB', 'cOI1T4oDoT6aTxDIzHQC6f3eGQ88GazQDbgmUmgStJxEuZwlqh4hU0F5fDOB', 'IINVuPw0fslgm8QAlbADV1iMx4mGNaJS9G6gLPgQMAwDnMpSLuGYcrI3Ural'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, wHUoYuStNT.csHigh entropy of concatenated method names: 'gKavcLYxB2', 'Ysj6ITnkWo', 'BWogeR5NM0', 'aNLHHkHuTj', '_94irga28Sf', 'pYvsbJzF9x', 'Q1VPVic2ED', 'EpVhXBCX0T', 'MJnGzoScGj', 'iJbM0C3tUS'
                    Source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, Tg2SEP0VQY.csHigh entropy of concatenated method names: '_7lJn1gsbhw', 'gwfwc4IgTH', 'niAJutz802', 'Hg5bc2RT5N', 'GcJ7OYHwP7', 'ocfBZU5brU', 'FUZFHDznAL', 'gubihUXUoM', 'nYGikdb4Tx', 'C5DdPW80RG'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, tcUBuJyp0kuY1K9nNfoDVKWb3Y2iLNMkOSt18PAfuw.csHigh entropy of concatenated method names: '_78AiBUnam0GXHIT2bUMaKPAPIxPeU3UzjHu1oVTBil', 'S5EqkR7mqWtZ6a5IDp7TyK6CW3zUveXII7p6hex5lf', '_74w4J0jQDQeaRheGhODj7J1orXj4aECV0HLwttilZo', 'jDQGzjrRie4pj7FGNp4hm5dA5PzQfrv1DC', 'gzkt1ZlpKxQH7e4CLzdmKnsGr0Kmr4Ho1Q', 'EJDoh3Fp8n9GMS1oujFXICK3NrYzvmKh0N', 'vOAEQwOFwYSdQUK0FVtj1aKcE6b5N8Au1s', 'NDYjrCSkmSWsEp4NPUsRvzWoqafPR5ZG8I', 'bmyc4xo5965cxDCPFgLgx5JY70onYeDK09', 'EXF47bzkH5BvDNhPHWf85AlU9CYbDjoNIZ'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, IPxnaeCqqP.csHigh entropy of concatenated method names: 'kpOZ4Lt4gwgG6jEol4HErnvw3jlMytzzSEomBshznzBJFIbGZTAkLj08A5mEy3u7GX3vJ7ITpZv', 'XgYRkUjXMkKuRfYYgwrHeeyxxxx3GARfl4k2nt4TXKJFY0CueIhIZwTeZJVQab1GUIwiEddVsDm', 'dCKcADEnm1pgzEZ5NF2thGG6DPKmDQv4IuI1FfjvArWHP1gQ6ujRNDpOx6cz6DA7sO1CsCud5D5', 'N8pW5VnFzT01TiSEcaePj6duYoBWruMXXWHmpX4fEZXMLwpvNaghyN3r4sf8CByvMW8UUdFhXQX'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, T2rJptLwPG.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'J5IuNcupU83hvhiYvCxejrODgOXDKiIt7Wo8MFlP3YlHZS0AOgnpUtSpXbu6WtrvinKESr8PxuB', 'iCGZZL3rRFfoAbUpnBPykINaEAIVpbYZaPiQp2G45DCXM4m4yAEGHVf13HLiz1sfTN9cKa5Shcb', 'LnzIZCzISJljIBEHkkvvj5TVblFTJjCsy62eN2gaaDhcbXJW99vBTe6eop1mKmh97mZdQz5zd7Y', 'zc25bB6Wlur92PeZxEqWzpDfU0k2b4mb1pNeTVqJyxsykZ43HoPI4Fjkakif7N0lC0occwwDgEv'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csHigh entropy of concatenated method names: '_2EqnGlerJ95QK3dN35ozNwI92clP197L7qaRx4MDix', 'M3end8FIGZ4KT9P4OIrkI7lOY6uefbu1knvCiaLTQZ', 'UB86svJ6sgtJNB4AX0IWib65Z7cmqCtOCG5soF6aQE', 'WavXTkBJsA5bacGyLGwWX8bYuUY8HnU31HV7GzkR1x', 'm8FIqM5LYq2Y7u9ojLyVPnZIfEQU88ZNPNfut9nSco', 'NyR9EmAuCCsrvWQ2lS4ldaRaqXBCTYvod4gLhwfRCV', 'mvmTNdUQ0549BZn400UDatdRrwzfXd0cRQ1mmtRptI', 'eoarsbfcp1vPsD4LkP3IV1J6LH32YSojYKOBlcjB96', 'htrsTOU8XXNN899rADQLEIjZWCoQ9KkC03317eVYu3', 'c1FnzvrNrNJHwStR1vWzpcERrsPMA1JM6ryRFHarKc'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csHigh entropy of concatenated method names: '_4waLpMAEzWeRir3qWytT5PnoT1PSwwTtuxqYfoZyd1', '_5ZjYoZLsOvyaZnbzfGGrtQwo9hC0G6TOBapJUiPH6xMp2E8MC392OfI9CeHhdSJ8Ky2okhTvjf6BUJdUUn2pqdKeIfz4', '_0jFaZDkAojeMl3nP3zTPKOpbOk1CtRPnKqpDdZMTyiUMoao9E5PErOa20Cl0qVdxVGSheOiCLJRCjsxomRPIWeueIqBg', 's7C7nFoNrPXr2q7svwhZVbdnj6n97gS3myIPXuYNBdZZpsbhxG08ymk9tFGUk2zTIb0bFVJGMrtARtQNBnNX7lo1C5ZB', 'oiJ1zkP8qZe40ZQ5d6zU6mKGGHiMmy78gP2EFcctnwnFFHACJOQXOQsGclrcs1ruQHwj2SOYuYY93Dt9Y5d5j9DCOcMS'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, OPQSObGEdF.csHigh entropy of concatenated method names: 'nLxMkeOnhK', 'RrCIK2qlvps70cb2JD1lTEMJ09kzPxMTokjndb2YUg', 'EtzlqS3tZnwyUpZBJiMJhkmGhlpIgvnw0tWIpUToRK', 'fyKZSWca3YMdQ3kwNZe7sRlLHTPvnfDvnovTVKJVJo', 'GwaTytUCxvQPOK34A5vtH3rATveCM4blqOT4NbHhDn8lB62M6Z2OPnTz0LrlHn05MBRuZdr9XWEFhwC8LEC9KOXBWxXL', 'RId9W2xGdGQqJEAQ3oYj2A0IfHcdf3R8CKnHeGPjoLbtkDq2SeLTGjhYmF3U3zmw1kuwfFUWAKFVMgcgnz9wYoIsYD0C', 'IoJCdaApHn7iNflgF4clCmWKyCkzMKB5maKWfmCt1R6Dtr1uEuT7yQqJsy4s3t9VxBiTr0ZYzei0iSYBup8ZBJxPAOJJ', '_3TH0r03vlIN10OAfgMsthv96KEIC0woj09b5bKAQVuOHZht39AafLFzsAEV1Foz4v7vq8gQZ9Tp5HSIMarSTbVBqRlCS', 'YXAG4k8tLMvVT9gW7Dmy24WKjHpWUUTSlKj2lB9I15dvtzVvuNg0BUuk5FsqtZpBwswINpzgh5SfKed3NfVrntTxfe79', 'UuZlKO76R6ZxpWqCSkFtb7bxuSKMtyCkazEFfLs6zOXKrFjQ1xuPhmazxwJRujFetS6T1W5ev2krq7gex46QwhgKBHrw'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, AhV9cITdXv.csHigh entropy of concatenated method names: 'o66L9pVmf6', 'F2L0T4ReRRIYxR6AV87g98WDezmBJKQMtYCUBrolWftJxApx1vdZy6cDOTBM', 'eEHGXaV3WChdB3RyVXydCxEyQ3QZHz1FJxnbQcJJ0mQxHVKFaq8gDsvyynon', 'Hn4JvYR4SN1pAM9mzmo6W75hN9b4ZTwnLkopcGIfcSgeu0VDg52rKwo91WSK', 'RDIH21FTGzFpOsa7QsLwTAglGPOYNnaFxRK1xZ4c3cZckHXWYk6HR4ap37v7'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, lwCMFX9W8i.csHigh entropy of concatenated method names: 'SqZ5p8959e', '_2VoyIVV9D3', '_0RRX4Y5ycE', 'VcfrjE5JxA', '_1AmYyyaDVS', 'ugEYsiFbng', 'VBsPu5NYEX', 'iw5eT8lnQx', 'fZztcJinWH', 'yBH6HZQOkT'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, tiWHr4oL6x.csHigh entropy of concatenated method names: 'BBCX1lsSLM', 'ZWeRD6vsad', 'qrar9acQxn', 'whhd0lUifU', '_1GwOXv9cI0JjJShOAumvZeKIpwFKr3qvLhRmRNE6l1W3bvOR8FsQJTjCjjiQ9OsPk0ZjreRnQC3', 'PLOU9UQCsvkN6CG2GzHRlW4OqPPakakwEe5Sj6qhWK1vviqWNrGJYuSGqAwo', 'WRjWOmJZYIVxPkp79zEy6DDpqgo5xM5gaFx6PckgCrsKtorwYvuS2Pj99EUc', '_2bOmzBFS7qG56yPgkL6vb4D9U0YWqsNkhddZsZoQK3HsBmwNgdiurVp8reWB', 'cOI1T4oDoT6aTxDIzHQC6f3eGQ88GazQDbgmUmgStJxEuZwlqh4hU0F5fDOB', 'IINVuPw0fslgm8QAlbADV1iMx4mGNaJS9G6gLPgQMAwDnMpSLuGYcrI3Ural'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, wHUoYuStNT.csHigh entropy of concatenated method names: 'gKavcLYxB2', 'Ysj6ITnkWo', 'BWogeR5NM0', 'aNLHHkHuTj', '_94irga28Sf', 'pYvsbJzF9x', 'Q1VPVic2ED', 'EpVhXBCX0T', 'MJnGzoScGj', 'iJbM0C3tUS'
                    Source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, Tg2SEP0VQY.csHigh entropy of concatenated method names: '_7lJn1gsbhw', 'gwfwc4IgTH', 'niAJutz802', 'Hg5bc2RT5N', 'GcJ7OYHwP7', 'ocfBZU5brU', 'FUZFHDznAL', 'gubihUXUoM', 'nYGikdb4Tx', 'C5DdPW80RG'
                    Source: FluxusV1.2.2.dr, tcUBuJyp0kuY1K9nNfoDVKWb3Y2iLNMkOSt18PAfuw.csHigh entropy of concatenated method names: '_78AiBUnam0GXHIT2bUMaKPAPIxPeU3UzjHu1oVTBil', 'S5EqkR7mqWtZ6a5IDp7TyK6CW3zUveXII7p6hex5lf', '_74w4J0jQDQeaRheGhODj7J1orXj4aECV0HLwttilZo', 'jDQGzjrRie4pj7FGNp4hm5dA5PzQfrv1DC', 'gzkt1ZlpKxQH7e4CLzdmKnsGr0Kmr4Ho1Q', 'EJDoh3Fp8n9GMS1oujFXICK3NrYzvmKh0N', 'vOAEQwOFwYSdQUK0FVtj1aKcE6b5N8Au1s', 'NDYjrCSkmSWsEp4NPUsRvzWoqafPR5ZG8I', 'bmyc4xo5965cxDCPFgLgx5JY70onYeDK09', 'EXF47bzkH5BvDNhPHWf85AlU9CYbDjoNIZ'
                    Source: FluxusV1.2.2.dr, IPxnaeCqqP.csHigh entropy of concatenated method names: 'kpOZ4Lt4gwgG6jEol4HErnvw3jlMytzzSEomBshznzBJFIbGZTAkLj08A5mEy3u7GX3vJ7ITpZv', 'XgYRkUjXMkKuRfYYgwrHeeyxxxx3GARfl4k2nt4TXKJFY0CueIhIZwTeZJVQab1GUIwiEddVsDm', 'dCKcADEnm1pgzEZ5NF2thGG6DPKmDQv4IuI1FfjvArWHP1gQ6ujRNDpOx6cz6DA7sO1CsCud5D5', 'N8pW5VnFzT01TiSEcaePj6duYoBWruMXXWHmpX4fEZXMLwpvNaghyN3r4sf8CByvMW8UUdFhXQX'
                    Source: FluxusV1.2.2.dr, T2rJptLwPG.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'J5IuNcupU83hvhiYvCxejrODgOXDKiIt7Wo8MFlP3YlHZS0AOgnpUtSpXbu6WtrvinKESr8PxuB', 'iCGZZL3rRFfoAbUpnBPykINaEAIVpbYZaPiQp2G45DCXM4m4yAEGHVf13HLiz1sfTN9cKa5Shcb', 'LnzIZCzISJljIBEHkkvvj5TVblFTJjCsy62eN2gaaDhcbXJW99vBTe6eop1mKmh97mZdQz5zd7Y', 'zc25bB6Wlur92PeZxEqWzpDfU0k2b4mb1pNeTVqJyxsykZ43HoPI4Fjkakif7N0lC0occwwDgEv'
                    Source: FluxusV1.2.2.dr, BDbQyeWeqKawLn2TITK3XKKqFPG0FMt2ol4DmWXRG2.csHigh entropy of concatenated method names: '_2EqnGlerJ95QK3dN35ozNwI92clP197L7qaRx4MDix', 'M3end8FIGZ4KT9P4OIrkI7lOY6uefbu1knvCiaLTQZ', 'UB86svJ6sgtJNB4AX0IWib65Z7cmqCtOCG5soF6aQE', 'WavXTkBJsA5bacGyLGwWX8bYuUY8HnU31HV7GzkR1x', 'm8FIqM5LYq2Y7u9ojLyVPnZIfEQU88ZNPNfut9nSco', 'NyR9EmAuCCsrvWQ2lS4ldaRaqXBCTYvod4gLhwfRCV', 'mvmTNdUQ0549BZn400UDatdRrwzfXd0cRQ1mmtRptI', 'eoarsbfcp1vPsD4LkP3IV1J6LH32YSojYKOBlcjB96', 'htrsTOU8XXNN899rADQLEIjZWCoQ9KkC03317eVYu3', 'c1FnzvrNrNJHwStR1vWzpcERrsPMA1JM6ryRFHarKc'
                    Source: FluxusV1.2.2.dr, OpvejobZ5cJw6qi32Gm1gYPykqdjOxBLomxaIiMCPT.csHigh entropy of concatenated method names: '_4waLpMAEzWeRir3qWytT5PnoT1PSwwTtuxqYfoZyd1', '_5ZjYoZLsOvyaZnbzfGGrtQwo9hC0G6TOBapJUiPH6xMp2E8MC392OfI9CeHhdSJ8Ky2okhTvjf6BUJdUUn2pqdKeIfz4', '_0jFaZDkAojeMl3nP3zTPKOpbOk1CtRPnKqpDdZMTyiUMoao9E5PErOa20Cl0qVdxVGSheOiCLJRCjsxomRPIWeueIqBg', 's7C7nFoNrPXr2q7svwhZVbdnj6n97gS3myIPXuYNBdZZpsbhxG08ymk9tFGUk2zTIb0bFVJGMrtARtQNBnNX7lo1C5ZB', 'oiJ1zkP8qZe40ZQ5d6zU6mKGGHiMmy78gP2EFcctnwnFFHACJOQXOQsGclrcs1ruQHwj2SOYuYY93Dt9Y5d5j9DCOcMS'
                    Source: FluxusV1.2.2.dr, OPQSObGEdF.csHigh entropy of concatenated method names: 'nLxMkeOnhK', 'RrCIK2qlvps70cb2JD1lTEMJ09kzPxMTokjndb2YUg', 'EtzlqS3tZnwyUpZBJiMJhkmGhlpIgvnw0tWIpUToRK', 'fyKZSWca3YMdQ3kwNZe7sRlLHTPvnfDvnovTVKJVJo', 'GwaTytUCxvQPOK34A5vtH3rATveCM4blqOT4NbHhDn8lB62M6Z2OPnTz0LrlHn05MBRuZdr9XWEFhwC8LEC9KOXBWxXL', 'RId9W2xGdGQqJEAQ3oYj2A0IfHcdf3R8CKnHeGPjoLbtkDq2SeLTGjhYmF3U3zmw1kuwfFUWAKFVMgcgnz9wYoIsYD0C', 'IoJCdaApHn7iNflgF4clCmWKyCkzMKB5maKWfmCt1R6Dtr1uEuT7yQqJsy4s3t9VxBiTr0ZYzei0iSYBup8ZBJxPAOJJ', '_3TH0r03vlIN10OAfgMsthv96KEIC0woj09b5bKAQVuOHZht39AafLFzsAEV1Foz4v7vq8gQZ9Tp5HSIMarSTbVBqRlCS', 'YXAG4k8tLMvVT9gW7Dmy24WKjHpWUUTSlKj2lB9I15dvtzVvuNg0BUuk5FsqtZpBwswINpzgh5SfKed3NfVrntTxfe79', 'UuZlKO76R6ZxpWqCSkFtb7bxuSKMtyCkazEFfLs6zOXKrFjQ1xuPhmazxwJRujFetS6T1W5ev2krq7gex46QwhgKBHrw'
                    Source: FluxusV1.2.2.dr, AhV9cITdXv.csHigh entropy of concatenated method names: 'o66L9pVmf6', 'F2L0T4ReRRIYxR6AV87g98WDezmBJKQMtYCUBrolWftJxApx1vdZy6cDOTBM', 'eEHGXaV3WChdB3RyVXydCxEyQ3QZHz1FJxnbQcJJ0mQxHVKFaq8gDsvyynon', 'Hn4JvYR4SN1pAM9mzmo6W75hN9b4ZTwnLkopcGIfcSgeu0VDg52rKwo91WSK', 'RDIH21FTGzFpOsa7QsLwTAglGPOYNnaFxRK1xZ4c3cZckHXWYk6HR4ap37v7'
                    Source: FluxusV1.2.2.dr, lwCMFX9W8i.csHigh entropy of concatenated method names: 'SqZ5p8959e', '_2VoyIVV9D3', '_0RRX4Y5ycE', 'VcfrjE5JxA', '_1AmYyyaDVS', 'ugEYsiFbng', 'VBsPu5NYEX', 'iw5eT8lnQx', 'fZztcJinWH', 'yBH6HZQOkT'
                    Source: FluxusV1.2.2.dr, tiWHr4oL6x.csHigh entropy of concatenated method names: 'BBCX1lsSLM', 'ZWeRD6vsad', 'qrar9acQxn', 'whhd0lUifU', '_1GwOXv9cI0JjJShOAumvZeKIpwFKr3qvLhRmRNE6l1W3bvOR8FsQJTjCjjiQ9OsPk0ZjreRnQC3', 'PLOU9UQCsvkN6CG2GzHRlW4OqPPakakwEe5Sj6qhWK1vviqWNrGJYuSGqAwo', 'WRjWOmJZYIVxPkp79zEy6DDpqgo5xM5gaFx6PckgCrsKtorwYvuS2Pj99EUc', '_2bOmzBFS7qG56yPgkL6vb4D9U0YWqsNkhddZsZoQK3HsBmwNgdiurVp8reWB', 'cOI1T4oDoT6aTxDIzHQC6f3eGQ88GazQDbgmUmgStJxEuZwlqh4hU0F5fDOB', 'IINVuPw0fslgm8QAlbADV1iMx4mGNaJS9G6gLPgQMAwDnMpSLuGYcrI3Ural'
                    Source: FluxusV1.2.2.dr, wHUoYuStNT.csHigh entropy of concatenated method names: 'gKavcLYxB2', 'Ysj6ITnkWo', 'BWogeR5NM0', 'aNLHHkHuTj', '_94irga28Sf', 'pYvsbJzF9x', 'Q1VPVic2ED', 'EpVhXBCX0T', 'MJnGzoScGj', 'iJbM0C3tUS'
                    Source: FluxusV1.2.2.dr, Tg2SEP0VQY.csHigh entropy of concatenated method names: '_7lJn1gsbhw', 'gwfwc4IgTH', 'niAJutz802', 'Hg5bc2RT5N', 'GcJ7OYHwP7', 'ocfBZU5brU', 'FUZFHDznAL', 'gubihUXUoM', 'nYGikdb4Tx', 'C5DdPW80RG'

                    Persistence and Installation Behavior

                    barindex
                    Uses ipconfig to lookup or modify the Windows network settings
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\FluxusV1.2Jump to dropped file
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeFile created: C:\Users\user\AppData\Roaming\Bootstrapper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\FluxusV1.2Jump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2"
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnkJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnkJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FluxusV1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FluxusV1Jump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeMemory allocated: 15D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeMemory allocated: 1B090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1A710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeMemory allocated: 26C245A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeMemory allocated: 26C3E0E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599747Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599604Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599465Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599358Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599249Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599140Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599029Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598920Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598702Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598483Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598153Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597914Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597710Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597233Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597124Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596796Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596468Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596249Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595921Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595214Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595103Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594655Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594510Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 586338Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWindow / User API: threadDelayed 5669Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWindow / User API: threadDelayed 4149Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeWindow / User API: threadDelayed 6249Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeWindow / User API: threadDelayed 3595Jump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7968Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599747s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599604s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599465s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599358s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599249s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599140s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -599029s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598920s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598812s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598702s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598593s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598483s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598265s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598153s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -598046s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597914s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597710s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597343s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597233s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597124s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -597015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596906s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596796s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596687s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596468s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596359s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596249s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596140s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -596031s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595921s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595812s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595703s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595593s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595484s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595214s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -595103s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -594984s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -594875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -594765s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -594655s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -594510s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exe TID: 7904Thread sleep time: -586338s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599747Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599604Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599465Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599358Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599249Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599140Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 599029Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598920Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598702Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598483Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598153Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 598046Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597914Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597710Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597233Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597124Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 597015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596796Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596468Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596249Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595921Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595214Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 595103Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594655Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 594510Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeThread delayed: delay time: 586338Jump to behavior
                    Source: Amcache.hve.14.drBinary or memory string: VMware
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                    Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Bootstrapper.exe, 00000003.00000002.1603783639.0000026C2442D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFR=
                    Source: XClient.exe, 00000002.00000002.3892496244.000000001B6B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWors"%SystemRoot%\system32\mswsock.dlliceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowDefinition="MachineOnly" allowExeD
                    Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: IM3OLcx7li.exe, 00000000.00000002.1420326661.000000001BC48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: Bootstrapper.exe PID: 7616, type: MEMORYSTR
                    Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeProcess created: C:\Users\user\AppData\Roaming\Bootstrapper.exe "C:\Users\user\AppData\Roaming\Bootstrapper.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeQueries volume information: C:\Users\user\Desktop\IM3OLcx7li.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeQueries volume information: C:\Users\user\AppData\Roaming\Bootstrapper.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bootstrapper.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\IM3OLcx7li.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: XClient.exe, 00000002.00000002.3892496244.000000001B742000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.3880875516.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.3880875516.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.3892496244.000000001B6B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30b1b50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30c4190.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.XClient.exe.450000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IM3OLcx7li.exe PID: 7504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7592, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\FluxusV1.2, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30b1b50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30c4190.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.XClient.exe.450000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30c4190.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IM3OLcx7li.exe.30b1b50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IM3OLcx7li.exe PID: 7504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 7592, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\FluxusV1.2, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		11
                    Masquerading                    		OS Credential Dumping231
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync13
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546346 Sample: IM3OLcx7li.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 50 nohicsq.localto.net 2->50 52 www.nodejs.org 2->52 54 5 other IPs or domains 2->54 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 12 other signatures 2->70 9 IM3OLcx7li.exe 4 2->9         started        12 OpenWith.exe 19 8 2->12         started        14 OpenWith.exe 2->14         started        16 5 other processes 2->16 signatures3 process4 file5 44 C:\Users\user\AppData\Roaming\XClient.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\Bootstrapper.exe, PE32+ 9->46 dropped 48 C:\Users\user\AppData\...\IM3OLcx7li.exe.log, CSV 9->48 dropped 18 XClient.exe 1 6 9->18         started        23 Bootstrapper.exe 14 8 9->23         started        process6 dnsIp7 56 nohicsq.localto.net 185.141.35.22, 3985, 49708, 49729 AS43260TR Turkey 18->56 40 C:\Users\user\AppData\Roaming\FluxusV1.2, PE32 18->40 dropped 72 Antivirus detection for dropped file 18->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->74 76 Protects its processes via BreakOnTermination flag 18->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 18->78 25 schtasks.exe 1 18->25         started        58 edge-term4-fra4.roblox.com 128.116.44.4, 443, 49709 ROBLOX-PRODUCTIONUS United States 23->58 60 www.nodejs.org 104.20.22.46, 443, 49713 CLOUDFLARENETUS United States 23->60 62 2 other IPs or domains 23->62 42 \Device\ConDrv, ISO-8859 23->42 dropped 80 Multi AV Scanner detection for dropped file 23->80 82 Machine Learning detection for dropped file 23->82 27 cmd.exe 1 23->27         started        30 WerFault.exe 19 16 23->30         started        32 conhost.exe 23->32         started        file8 signatures9 process10 signatures11 34 conhost.exe 25->34         started        84 Uses ipconfig to lookup or modify the Windows network settings 27->84 36 ipconfig.exe 1 27->36         started        38 conhost.exe 27->38         started        process12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    IM3OLcx7li.exe61%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    IM3OLcx7li.exe100%AviraTR/Dropper.Gen
                    IM3OLcx7li.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Bootstrapper.exe100%AviraTR/AVI.Agent.iqkvn
                    C:\Users\user\AppData\Roaming\FluxusV1.2100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\XClient.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\Bootstrapper.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\FluxusV1.2100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Bootstrapper.exe63%ReversingLabsWin64.Trojan.Malgent

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    http://james.newtonking.com/projects/json0%URL Reputationsafe
                    https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
                    https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    edge-term4-fra4.roblox.com
                    		128.116.44.4
                    		truefalse
                      		unknown
                      getsolara.dev
                      		172.67.203.125
                      		truefalse
                        		unknown
                        www.nodejs.org
                        		104.20.22.46
                        		truefalse
                          		unknown
                          nohicsq.localto.net
                          		185.141.35.22
                          		truetrue
                            		unknown
                            clientsettings.roblox.com
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              nohicsq.localto.nettrue
                                		unknown
                                https://getsolara.dev/asset/discord.jsonfalse
                                  		unknown
                                  https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                    		unknown
                                    https://getsolara.dev/api/endpoint.jsonfalse
                                      		unknown
                                      https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://127.0.0.1:6463Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://127.0.0.1:64632EBootstrapper.exe, 00000003.00000002.1604700477.0000026C261DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.nodejs.orgBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://discord.comBootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://096e98d9.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2625D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://ncs.roblox.com/uploadBootstrapper.exe, 00000003.00000002.1604700477.0000026C26259000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.nodejs.orgBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://upx.sf.netAmcache.hve.14.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawBootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://james.newtonking.com/projects/jsonBootstrapper.exe.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://096e98d9.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261B2000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2626F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2625D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://edge-term4-fra4.roblox.comBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://getsolara.devBootstrapper.exe, 00000003.00000002.1604700477.0000026C26195000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://discord.com;http://127.0.0.1:6463/rpc?v=11Bootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe.0.drfalse
                                                                		unknown
                                                                https://aka.ms/vs/17/release/vc_redist.x64.exeBootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drfalse
                                                                  		unknown
                                                                  https://getsolara.devBootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2618A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://www.newtonsoft.com/jsonschemaBootstrapper.exe.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.nuget.org/packages/Newtonsoft.Json.BsonBootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe.0.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/rawBootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe.0.drfalse
                                                                      		unknown
                                                                      http://127.0.0.1:6463/rpc?v=1Bootstrapper.exe, 00000003.00000002.1604700477.0000026C260E1000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXClient.exe, 00000002.00000002.3884269378.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C2617D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://clientsettings.roblox.comBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msiBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000003.00000002.1604700477.0000026C26255000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://pastebin.com/raw/pjseRvyKBootstrapper.exe, 00000003.00000002.1604700477.0000026C261F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://clientsettings.roblox.comBootstrapper.exe, 00000003.00000002.1604700477.0000026C2627F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.cBootstrapper.exe, 00000003.00000000.1418917853.0000026C241B2000.00000002.00000001.01000000.00000007.sdmp, Bootstrapper.exe.0.drfalse
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  172.67.203.125
                                                                                  		getsolara.devUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  185.141.35.22
                                                                                  		nohicsq.localto.netTurkey
                                                                                  		43260AS43260TRtrue
                                                                                  128.116.44.4
                                                                                  		edge-term4-fra4.roblox.comUnited States
                                                                                  		22697ROBLOX-PRODUCTIONUSfalse
                                                                                  104.20.22.46
                                                                                  		www.nodejs.orgUnited States
                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                  Private

                                                                                  IP
                                                                                  127.0.0.1

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1546346
                                                                                  Start date and time:2024-10-31 19:45:07 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 9m 49s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:29
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:IM3OLcx7li.exe
                                                                                  renamed because original name is a hash value
                                                                                  Original Sample Name:2b685da51e11e912a197f6b099cc129ea596e0a17e1acda327a14da2f29cc14d.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.evad.winEXE@22/13@4/5
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 33.3%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 97%
                                                                                  • Number of executed functions: 151
                                                                                  • Number of non-executed functions: 4
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 104.208.16.94, 52.182.143.212
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                  • Execution Graph export aborted for target Bootstrapper.exe, PID 7616 because it is empty
                                                                                  • Execution Graph export aborted for target IM3OLcx7li.exe, PID 7504 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                  • VT rate limit hit for: IM3OLcx7li.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  14:46:08API Interceptor12775623x Sleep call for process: XClient.exe modified
                                                                                  14:46:08API Interceptor49x Sleep call for process: Bootstrapper.exe modified
                                                                                  14:46:16API Interceptor2x Sleep call for process: OpenWith.exe modified
                                                                                  14:46:22API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                  19:46:08Task SchedulerRun new task: FluxusV1 path: C:\Users\user\AppData\Roaming\FluxusV1.2
                                                                                  19:46:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FluxusV1 C:\Users\user\AppData\Roaming\FluxusV1.2
                                                                                  19:46:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run FluxusV1 C:\Users\user\AppData\Roaming\FluxusV1.2
                                                                                  19:46:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnk

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  172.67.203.125SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                    cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                      oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                        hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                          SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                              BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                                      185.141.35.22cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                        oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                          PDF.exeGet hashmaliciousXWormBrowse
                                                                                                            128.116.44.4SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                              https://roblox.tz/games/10449761463/BOSS-The-Strongest-Battlegrounds?privateServerLinkCode=11856892146830167735895077236647Get hashmaliciousUnknownBrowse
                                                                                                                https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445Get hashmaliciousUnknownBrowse
                                                                                                                  https://shrturl.net/pmf-gx3nGet hashmaliciousUnknownBrowse
                                                                                                                    104.20.22.46cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                      hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                          SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                            RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                              SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exeGet hashmaliciousUnknownBrowse
                                                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  https://nodejs.org/dist/v20.15.0/node-v20.15.0-x64.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    3jF5V4T8LO.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                      2lz.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        www.nodejs.orgSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 104.20.23.46
                                                                                                                                        cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 104.20.22.46
                                                                                                                                        oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 104.20.23.46
                                                                                                                                        hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 104.20.22.46
                                                                                                                                        8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                        • 104.20.23.46
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.20.22.46
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.20.22.46
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.20.23.46
                                                                                                                                        SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.20.23.46
                                                                                                                                        BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                        • 104.20.23.46
                                                                                                                                        getsolara.devSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.21.93.27
                                                                                                                                        SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.21.93.27
                                                                                                                                        8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                        • 104.21.93.27
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 104.21.93.27
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        edge-term4-fra4.roblox.com8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.4
                                                                                                                                        SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445Get hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        https://shrturl.net/pmf-gx3nGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3

                                                                                                                                        ASNs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        ROBLOX-PRODUCTIONUSSecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 128.116.123.4
                                                                                                                                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.110.16
                                                                                                                                        cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 128.116.21.4
                                                                                                                                        oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 128.116.123.4
                                                                                                                                        hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 128.116.123.3
                                                                                                                                        8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        https://www.roblox.sc/users/294681399108/profileGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.122.3
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.3
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 128.116.44.4
                                                                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 188.114.96.3
                                                                                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                        • 172.64.41.3
                                                                                                                                        gMd6of50Do.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 162.159.136.232
                                                                                                                                        El9HaBFrFM.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 162.159.128.233
                                                                                                                                        aLRjksjY78.exeGet hashmaliciousHackBrowserBrowse
                                                                                                                                        • 162.159.136.232
                                                                                                                                        jF5cZUXeQm.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 162.159.135.232
                                                                                                                                        https://www.miroslavska.com/pvt/language-prefs?return_url=https:///alrbanyon.com/..&lng=en&return_url=/plain-flange_red.thick./dn-800/glatter-flansch-dn-800:813x20-pn-10-id-8195-mmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 104.17.25.14
                                                                                                                                        Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                        • 104.26.1.231
                                                                                                                                        original.emlGet hashmaliciousMamba2FABrowse
                                                                                                                                        • 188.114.96.3
                                                                                                                                        https://fcs-aero.com/ilsmart/marketplace/inventory/#ksunya.chan@yogiproducts.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 188.114.96.3
                                                                                                                                        AS43260TRSecuriteInfo.com.Win32.Trojan-gen.4672.20787.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 77.73.131.1
                                                                                                                                        SecuriteInfo.com.Win32.Trojan-gen.4672.20787.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 77.73.131.1
                                                                                                                                        cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 185.141.35.22
                                                                                                                                        oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 185.141.35.22
                                                                                                                                        SecuriteInfo.com.Trojan.WinGo.Agent.15048.57.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 77.73.131.68
                                                                                                                                        SecuriteInfo.com.Win64.Malware-gen.27001.18486.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 77.73.131.68
                                                                                                                                        SecuriteInfo.com.Trojan.WinGo.Agent.15048.57.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 77.73.131.68
                                                                                                                                        SecuriteInfo.com.Win64.Malware-gen.27001.18486.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 77.73.131.68
                                                                                                                                        na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                        • 185.124.86.109
                                                                                                                                        0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                        • 185.122.203.107
                                                                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 188.114.96.3
                                                                                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                        • 172.64.41.3
                                                                                                                                        gMd6of50Do.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 162.159.136.232
                                                                                                                                        El9HaBFrFM.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 162.159.128.233
                                                                                                                                        aLRjksjY78.exeGet hashmaliciousHackBrowserBrowse
                                                                                                                                        • 162.159.136.232
                                                                                                                                        jF5cZUXeQm.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        • 162.159.135.232
                                                                                                                                        https://www.miroslavska.com/pvt/language-prefs?return_url=https:///alrbanyon.com/..&lng=en&return_url=/plain-flange_red.thick./dn-800/glatter-flansch-dn-800:813x20-pn-10-id-8195-mmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 104.17.25.14
                                                                                                                                        Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                        • 104.26.1.231
                                                                                                                                        original.emlGet hashmaliciousMamba2FABrowse
                                                                                                                                        • 188.114.96.3
                                                                                                                                        https://fcs-aero.com/ilsmart/marketplace/inventory/#ksunya.chan@yogiproducts.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 188.114.96.3

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0ehttp://amtso.eicar.org/PotentiallyUnwanted.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        Lana_Rhoades_Photoos.jsGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        https://t.ly/4Nq2xGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918Get hashmaliciousUnknownBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        RFQ Proposals ADC-24-65.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46
                                                                                                                                        RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                        • 172.67.203.125
                                                                                                                                        • 128.116.44.4
                                                                                                                                        • 104.20.22.46

                                                                                                                                        Dropped Files

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        C:\Users\user\AppData\Roaming\Bootstrapper.execgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                          oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                            hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                              SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Bootstrapper.exe_f8ecbb689c8f1a18ba1322c93213c0dd24b0ed4d_47e6ae6e_a7aaad88-62f4-4fc9-8dc2-7a2a9a462b64\Report.wer

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):65536
                                                                                                                                                    Entropy (8bit):1.2627954485044162
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:V1KDt7Dr0bU9+dQla+xejol2/fsLzuiFcZ24lO8o:V12t7cbG+dQla+l23sLzuiFcY4lO8o
                                                                                                                                                    MD5:CF4E6D50B3D7D1AE44942E54909C07F9
                                                                                                                                                    SHA1:4E5A1B4F649FFDD1080701FAA6CB116E0B308F29
                                                                                                                                                    SHA-256:3881D6D205733041A8C7A29562892770E63E715BDF614D0F002121B91E44057B
                                                                                                                                                    SHA-512:08262510F670BB91E63986EB71606DBDE274A4B9A06D1DE4E6D67532CE18E4FB8667DD79E8EB84A13EFB2A6EE24838C040979A8DE9461CF53B825E9444FC700C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.3.9.7.4.0.6.5.9.8.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.7.3.9.7.4.7.2.2.2.3.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.a.a.a.d.8.8.-.6.2.f.4.-.4.f.c.9.-.8.d.c.2.-.7.a.2.a.9.a.4.6.2.b.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.9.a.e.e.0.3.-.a.e.0.e.-.4.5.6.6.-.a.2.8.b.-.0.d.c.2.3.f.9.a.f.b.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.0.-.0.0.0.1.-.0.0.1.4.-.2.b.a.9.-.5.b.2.3.c.5.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.2.1.f.2.3.2.c.2.f.d.8.1.3.2.f.8.6.7.7.e.5.3.2.5.8.5.6.2.a.d.9.8.b.4.5.5.e.6.7.9.

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD56.tmp.dmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:Mini DuMP crash report, 16 streams, Thu Oct 31 18:46:14 2024, 0x1205a4 type
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):605210
                                                                                                                                                    Entropy (8bit):3.3023922452398446
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:1Y34LszP053QB8FH9+0vfc7uh14oIR/Jl8iBkqvtM:1Y34LwUQB8FH9+0vfc7P/JlSq
                                                                                                                                                    MD5:B69D79D7CD59CB769AA2BE3715181720
                                                                                                                                                    SHA1:C7E02E779B798E1AB2EADE59761AAA55A439A92C
                                                                                                                                                    SHA-256:9614439A1CC86563CD875C07A16F0B5586B13B8A033C41757501D713E20D3014
                                                                                                                                                    SHA-512:C00E7365774B04062926803F5F0676A7AE4A3E47CD8D69D9CE80339F96CA4278449A7839386E63912549A3574FBDDB6F8F2644586E97949FA4B3C8E53F565E2A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:MDMP..a..... .......v.#g............4...........<...T.......<....)...........).......T..............l.......8...........T............U..j............E...........G..............................................................................eJ......@H......Lw......................T...........k.#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF2C.tmp.WERInternalMetadata.xml

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):6792
                                                                                                                                                    Entropy (8bit):3.719761200657001
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:R6l7wVeJijoZ/yix1YZX8Ppr389bT3Uf0VRm:R6lXJUoZ/yix1Y5hTEfH
                                                                                                                                                    MD5:4178781A3465B908898F55EEAABEB537
                                                                                                                                                    SHA1:5B8DF747D8D67E6DB22E7C08A2CC29FA17BEBB32
                                                                                                                                                    SHA-256:B8FDEC32BC23D4354F1788838380BC1770982C00A38AE04CEBD1CF0C0E7699CD
                                                                                                                                                    SHA-512:0230229F3D8A94D28D4AE62387D4EC476A4EFB0B35B9167684A8BD7266CE1C9C4BF6D7C090F6B9241395DC270D2D35C4452A15D8D661867B7BA37E28293CF833
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.1.6.<./.P.i.

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF6B.tmp.xml

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4809
                                                                                                                                                    Entropy (8bit):4.455271422455173
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:cvIwWl8zsxJg771I9wbWpW8VYVYm8M4JnT/FN9yq8vETXU1QaBd:uIjfDI7Xq7VZJpW8U1QaBd
                                                                                                                                                    MD5:38FC9CFE60A5571721BDF8E94205A751
                                                                                                                                                    SHA1:39393219200D8BF8D8635D18BCF18C0F50239728
                                                                                                                                                    SHA-256:4BDE7303887845BFF3238EE36C81A66CB252760374B13EA8002BB0F6B91295BC
                                                                                                                                                    SHA-512:1195369C6DDC68AA29E196EFA4B803C116725BB8D5C71B2FCAEEC74F31C344A354D176471908BB490AD368A5F32F72E064433164F51A443EF9B23DE430603A06
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567948" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IM3OLcx7li.exe.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\IM3OLcx7li.exe
                                                                                                                                                    File Type:CSV text
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):654
                                                                                                                                                    Entropy (8bit):5.380476433908377
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):41
                                                                                                                                                    Entropy (8bit):3.7195394315431693
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                                                                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                                                                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                                                                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                                                                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                                                                                    C:\Users\user\AppData\Roaming\Bootstrapper.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\IM3OLcx7li.exe
                                                                                                                                                    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):819200
                                                                                                                                                    Entropy (8bit):5.598226996524291
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:t0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z:O5vgHWjTwAlocaKjyyItHDz
                                                                                                                                                    MD5:2A4DCF20B82896BE94EB538260C5FB93
                                                                                                                                                    SHA1:21F232C2FD8132F8677E53258562AD98B455E679
                                                                                                                                                    SHA-256:EBBCB489171ABFCFCE56554DBAEACD22A15838391CBC7C756DB02995129DEF5A
                                                                                                                                                    SHA-512:4F1164B2312FB94B7030D6EB6AA9F3502912FFA33505F156443570FC964BFD3BB21DED3CF84092054E07346D2DCE83A0907BA33F4BA39AD3FE7A78E836EFE288
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: cgqdM4IA7C.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: oIDX88LpSs.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: hKWBNgRd7p.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: 8svMXMXNRn.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Ll.g.........."......v............... ....@...... ....................................`.................................................D...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH........................................................................0..R.......(....:....*r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&*.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o......*.......8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(......*.....(....~....%:....&~......*...s....%.....(...+*...0..l.........(....r...p(....(....r\..p.

                                                                                                                                                    C:\Users\user\AppData\Roaming\FluxusV1.2

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):75264
                                                                                                                                                    Entropy (8bit):5.858531672411688
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:HaHqQf1yZabIdVLqYgIHW+bpPSsS+CYyvOXOTuQ8EsL3b:6KQffIqvp+bB25YyvOeTuQ8E+b
                                                                                                                                                    MD5:06DF71794E08473F20B46AA17C389269
                                                                                                                                                    SHA1:149AAA1816A59E05D55806EC88ADB75E7CCF079A
                                                                                                                                                    SHA-256:C0D08AFC1DBCF3572160019C5074E5C58010205D158C9B2DA1B2B7E86A465321
                                                                                                                                                    SHA-512:F772AAB2F848914E19BB6061A52FDAF3DA2CCD5D3BAABD6ED99C52EDC73CDAFC6FC0BBCD91E9CB17083DA51BCBA1F4F5B8A5005531141CE0C04D414AA0B018B0
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\FluxusV1.2, Author: Joe Security
                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\FluxusV1.2, Author: ditekSHen
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g.............................:... ...@....@.. ....................................@.................................8:..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................p:......H.......D^..........&.....................................................(....*.r...p*. C...*..(....*.rW..p*. .#..*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. &J..*.r"..p*. .X..*.r...p*. '^..*.rT..p*. ....*..((...*.r...p*. .(T.*.r|..p*. ...*"(....+.*&(....&+.*.+5sT... .... .'..oU...(,...~....-.(D...(6...~....oV...&.-.*.r...p*. ....*.rd..p*. *p{.*.r...p*. .x!.*.rX..p*. E/..*.r...p*. ,.=.*..............j..................sW..............*"(F...+.*:.t....(

                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnk

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 17:46:08 2024, mtime=Thu Oct 31 17:46:08 2024, atime=Thu Oct 31 17:46:08 2024, length=75264, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):760
                                                                                                                                                    Entropy (8bit):5.072839779701608
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:84/sg4LpkChgY//M7L3CGK2/+kvjAsNu/Hgt/zj1mV:84/kL606Sd2nAsNuGLj1m
                                                                                                                                                    MD5:40AB3D6B93F88D8BF06805CF96912DD0
                                                                                                                                                    SHA1:5A6EE8460A1A1F16CFC3B7FE62207401394A348F
                                                                                                                                                    SHA-256:AC63E88572BF5253CD028C55688EFC8EF1D2D6C9D8A567AD0CFEA77E1F7A52F4
                                                                                                                                                    SHA-512:56CA173F17D174F9BE6D559FE6D54467CEA719FF6EC6068C8E5D8DDFE7808AD5FDE2B20808ACE477E10ECAB31C20F478CB660F45E1DB496947307C9D5DE4FF72
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L..................F.... ....&.%.+...&.%.+...&.%.+...&......................t.:..DG..Yr?.D..U..k0.&...&.......y.Yd........+..`s.%.+......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B_Y............................d...A.p.p.D.a.t.a...B.V.1....._Y...Roaming.@......EW)B_Y...............................R.o.a.m.i.n.g.....`.2..&.._Y. .FluxusV1.2..F......_Y._Y......(....................$^).F.l.u.x.u.s.V.1...2.......Y...............-.......X....................C:\Users\user\AppData\Roaming\FluxusV1.2........\.....\.....\.....\.....\.F.l.u.x.u.s.V.1...2.`.......X.......266904...........hT..CrF.f4... .G..Yc...,...E...hT..CrF.f4... .G..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                    C:\Users\user\AppData\Roaming\XClient.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\IM3OLcx7li.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):75264
                                                                                                                                                    Entropy (8bit):5.858531672411688
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:HaHqQf1yZabIdVLqYgIHW+bpPSsS+CYyvOXOTuQ8EsL3b:6KQffIqvp+bB25YyvOeTuQ8E+b
                                                                                                                                                    MD5:06DF71794E08473F20B46AA17C389269
                                                                                                                                                    SHA1:149AAA1816A59E05D55806EC88ADB75E7CCF079A
                                                                                                                                                    SHA-256:C0D08AFC1DBCF3572160019C5074E5C58010205D158C9B2DA1B2B7E86A465321
                                                                                                                                                    SHA-512:F772AAB2F848914E19BB6061A52FDAF3DA2CCD5D3BAABD6ED99C52EDC73CDAFC6FC0BBCD91E9CB17083DA51BCBA1F4F5B8A5005531141CE0C04D414AA0B018B0
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g.............................:... ...@....@.. ....................................@.................................8:..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................p:......H.......D^..........&.....................................................(....*.r...p*. C...*..(....*.rW..p*. .#..*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. &J..*.r"..p*. .X..*.r...p*. '^..*.rT..p*. ....*..((...*.r...p*. .(T.*.r|..p*. ...*"(....+.*&(....&+.*.+5sT... .... .'..oU...(,...~....-.(D...(6...~....oV...&.-.*.r...p*. ....*.rd..p*. *p{.*.r...p*. .x!.*.rX..p*. E/..*.r...p*. ,.=.*..............j..................sW..............*"(F...+.*:.t....(

                                                                                                                                                    C:\Users\user\Desktop\DISCORD

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    File Type:JSON data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):103
                                                                                                                                                    Entropy (8bit):4.081427527984575
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                                                                    MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                                                                    SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                                                                    SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                                                                    SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                    Entropy (8bit):4.3723875403772565
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:tFVfpi6ceLP/9skLmb0cyWWSPtaJG8nAge35OlMMhA2AX4WABlguNDiL:7V1CyWWI/glMM6kF7pq
                                                                                                                                                    MD5:C63ACF51318F831B467817EF445A90E0
                                                                                                                                                    SHA1:91BA2A4C115FC854F1778436FA0FECA699AFB249
                                                                                                                                                    SHA-256:A1D7A4A3862522CB1D93D618E94AA980603F01EE63A4A1FDFBB33067E21D1082
                                                                                                                                                    SHA-512:B78FFF3283993CBE615B2615251522B7FEFB91BBFBF1FD9CE2998033F96E9D38446EAFA0EFC47E8CDC5DAA33ED1F9460F6353F4C1CD56798FD9904CC62609E57
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm._U).+................................................................................................................................................................................................................................................................................................................................................B.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    \Device\ConDrv

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):571
                                                                                                                                                    Entropy (8bit):4.9398118662542965
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
                                                                                                                                                    MD5:5294778E41EE83E1F1E78B56466AD690
                                                                                                                                                    SHA1:348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
                                                                                                                                                    SHA-256:3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
                                                                                                                                                    SHA-512:381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                                                    Preview:.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Entropy (8bit):7.996102760993812
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                    File name:IM3OLcx7li.exe
                                                                                                                                                    File size:907'776 bytes
                                                                                                                                                    MD5:5de66177f354c6897c28610c4f7bae57
                                                                                                                                                    SHA1:e8ad1bee7ca5c991d1837eb59d0c9b4033e055bf
                                                                                                                                                    SHA256:2b685da51e11e912a197f6b099cc129ea596e0a17e1acda327a14da2f29cc14d
                                                                                                                                                    SHA512:a4b7044c28e0ead07ade9325de64e0e1e9069d27ab4d228df4acc84952a9c9f7e05e04cdae7adb05322e413756cf906163ccf728564258ad21d558da1da471e0
                                                                                                                                                    SSDEEP:24576:pIRvCHulB7EdTNb8aJFWKtJ8Bx2BIQPGfK9wNJnkSDSvmEF:pIRvCOlBOF8aJFWKtJ8Bx2BXSK6NJ
                                                                                                                                                    TLSH:E01523FE481EFA3DC929B5BD2A61473F0D65DBAF714034159880D3C609EB36A7928E70
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g............................~.... ........@.. .......................@............@................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x4dee7e
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x6723C40D [Thu Oct 31 17:53:17 2024 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:4
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:4
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdee240x57.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x4ce.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x20000xdce840xdd000e7c84a5820b143dd214d53e94e6071c2False0.939119502969457data7.997895898511622IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rsrc0xe00000x4ce0x6005b1e5dade89b256a2fb4bc7a7f7e2e23False0.373046875data3.717629241737283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .reloc0xe20000xc0x200e84c1fe27b59cc85a93b11005c8a0f37False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                    Resources

                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                    RT_VERSION0xe00a00x244data0.4706896551724138
                                                                                                                                                    RT_MANIFEST0xe02e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                    Network Behavior

                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                    2024-10-31T19:46:10.383179+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849707172.67.203.125443TCP
                                                                                                                                                    2024-10-31T19:46:22.754640+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849708185.141.35.223985TCP
                                                                                                                                                    2024-10-31T19:46:23.043912+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.849720TCP
                                                                                                                                                    2024-10-31T19:47:00.849045+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.849725TCP
                                                                                                                                                    2024-10-31T19:47:38.264525+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849729185.141.35.223985TCP

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Oct 31, 2024 19:46:06.458985090 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:06.459048986 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:06.459126949 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:06.481369019 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:06.481400967 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.109344006 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.109545946 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:07.112490892 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:07.112513065 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.112768888 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.154452085 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:07.163856983 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:07.207333088 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.374038935 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.374115944 CET44349705172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:07.374325037 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:07.392054081 CET49705443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:09.531649113 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:09.531701088 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:09.531766891 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:09.532856941 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:09.532874107 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:09.823955059 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:46:09.828741074 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:09.828809023 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:46:10.079237938 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:46:10.084145069 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.140659094 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.140746117 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:10.142066002 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:10.142074108 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.142299891 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.143363953 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:10.191338062 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.383193970 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.383325100 CET44349707172.67.203.125192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.383389950 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:10.383927107 CET49707443192.168.2.8172.67.203.125
                                                                                                                                                    Oct 31, 2024 19:46:10.678239107 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:10.678303003 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.678388119 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:10.678634882 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:10.678653955 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:11.544258118 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:11.544338942 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:11.581981897 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:11.581995964 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:11.582341909 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:11.583846092 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:11.631339073 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:12.048357964 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:12.048459053 CET44349709128.116.44.4192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:12.048512936 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:12.048937082 CET49709443192.168.2.8128.116.44.4
                                                                                                                                                    Oct 31, 2024 19:46:13.619256973 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:13.619292974 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:13.619627953 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:13.619627953 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:13.619662046 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.244545937 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.244676113 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:14.284147978 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:14.284173012 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.284465075 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.285305023 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:14.331336021 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.733270884 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.733386040 CET44349713104.20.22.46192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:14.733438015 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:14.734025955 CET49713443192.168.2.8104.20.22.46
                                                                                                                                                    Oct 31, 2024 19:46:22.754640102 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:46:22.759404898 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:35.434360981 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:46:35.439266920 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:48.099664927 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:46:48.104583025 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:00.836901903 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:00.841779947 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:13.451709032 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:13.456779003 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:22.157176018 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:22.162075043 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:25.014478922 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:25.019505024 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:27.764359951 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:27.769448042 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:32.873878002 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:32.878923893 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:32.889223099 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:32.894071102 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:32.904980898 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:32.910017014 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:35.075469971 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:35.075535059 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:38.004592896 CET497083985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:38.009124994 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:38.009928942 CET398549708185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:38.014062881 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:38.014178038 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:38.115535021 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:38.121012926 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:38.264524937 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:38.269892931 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:41.267157078 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:41.272175074 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.530087948 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.535216093 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.576930046 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.582173109 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.592470884 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.597776890 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.608184099 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.613280058 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.654999971 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.660046101 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.686240911 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.691441059 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.733059883 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.738274097 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:48.748648882 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:48.753679037 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:58.780366898 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:58.785384893 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:58.921763897 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:58.927408934 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:58.999062061 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.004883051 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:59.045784950 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.050720930 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:59.061366081 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.066174030 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:59.077140093 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.081943989 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:59.202241898 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.207408905 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:59.217956066 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.222862959 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:47:59.233191967 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:47:59.239033937 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:02.111341953 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:02.116420984 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:05.313158035 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:05.318448067 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:17.280077934 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:17.285152912 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:19.749206066 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:19.754529953 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:28.155157089 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:28.160274982 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:31.782747984 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:31.787950993 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:31.889832973 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:31.894855976 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:32.875195980 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:32.880203009 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:35.983364105 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:35.988281012 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:36.030139923 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:36.034905910 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:36.077205896 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:36.082072973 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:36.092657089 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:36.097526073 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:36.123742104 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:36.128591061 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:36.186575890 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:36.191509008 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:41.373853922 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:41.378833055 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:46.249139071 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:46.254051924 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:46.327049017 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:46.334043026 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:46.342561960 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:46.347978115 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:48:49.329257011 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:48:49.334172010 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:01.297233105 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:01.302105904 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:01.592789888 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:01.597726107 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:01.655070066 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:01.659989119 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:01.717794895 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:01.722691059 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:01.795809984 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:01.800702095 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:02.030247927 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:02.035129070 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:02.045783043 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:02.050810099 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:02.061975002 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:02.066864014 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:02.092684031 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:02.099119902 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:04.702423096 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:04.707422018 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:07.358284950 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:07.496037006 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:10.952020884 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:10.956895113 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:12.545811892 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:12.550692081 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:12.592690945 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:12.597671032 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:17.858262062 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:17.863149881 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:18.686450005 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:18.691359997 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:22.999049902 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:23.004281998 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:30.655364990 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:30.660214901 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:31.858700991 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:31.863603115 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:38.233208895 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:38.238059998 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:45.623895884 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:45.628768921 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:48.998931885 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:49.004148006 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:56.171298027 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:56.176484108 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:59.061450958 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:59.066628933 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:59.108406067 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:59.113346100 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:59.139612913 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:59.144450903 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:49:59.639487028 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:49:59.644633055 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:01.389492989 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:01.395628929 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:04.014431953 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:04.019228935 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:05.082792044 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:05.082885981 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:09.202009916 CET497293985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:09.205163002 CET497303985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:09.206986904 CET398549729185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:09.210360050 CET398549730185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:09.210422039 CET497303985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:09.284535885 CET497303985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:09.289349079 CET398549730185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:09.373971939 CET497303985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:09.379772902 CET398549730185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:12.577194929 CET497303985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:12.583230019 CET398549730185.141.35.22192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:50:23.920762062 CET497303985192.168.2.8185.141.35.22
                                                                                                                                                    Oct 31, 2024 19:50:23.925825119 CET398549730185.141.35.22192.168.2.8

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Oct 31, 2024 19:46:06.439824104 CET5073253192.168.2.81.1.1.1
                                                                                                                                                    Oct 31, 2024 19:46:06.447458982 CET53507321.1.1.1192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:09.720592976 CET6546053192.168.2.81.1.1.1
                                                                                                                                                    Oct 31, 2024 19:46:09.765808105 CET53654601.1.1.1192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:10.666807890 CET5147353192.168.2.81.1.1.1
                                                                                                                                                    Oct 31, 2024 19:46:10.674335003 CET53514731.1.1.1192.168.2.8
                                                                                                                                                    Oct 31, 2024 19:46:13.610344887 CET5609053192.168.2.81.1.1.1
                                                                                                                                                    Oct 31, 2024 19:46:13.617872953 CET53560901.1.1.1192.168.2.8

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                    Oct 31, 2024 19:46:06.439824104 CET192.168.2.81.1.1.10x1f4aStandard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:09.720592976 CET192.168.2.81.1.1.10xc916Standard query (0)nohicsq.localto.netA (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:10.666807890 CET192.168.2.81.1.1.10xc7a6Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:13.610344887 CET192.168.2.81.1.1.10x6862Standard query (0)www.nodejs.orgA (IP address)IN (0x0001)false

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                    Oct 31, 2024 19:46:06.447458982 CET1.1.1.1192.168.2.80x1f4aNo error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:06.447458982 CET1.1.1.1192.168.2.80x1f4aNo error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:09.765808105 CET1.1.1.1192.168.2.80xc916No error (0)nohicsq.localto.net185.141.35.22A (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:10.674335003 CET1.1.1.1192.168.2.80xc7a6No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:10.674335003 CET1.1.1.1192.168.2.80xc7a6No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:10.674335003 CET1.1.1.1192.168.2.80xc7a6No error (0)edge-term4.roblox.comedge-term4-fra4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:10.674335003 CET1.1.1.1192.168.2.80xc7a6No error (0)edge-term4-fra4.roblox.com128.116.44.4A (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:13.617872953 CET1.1.1.1192.168.2.80x6862No error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                    Oct 31, 2024 19:46:13.617872953 CET1.1.1.1192.168.2.80x6862No error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • getsolara.dev
                                                                                                                                                    • clientsettings.roblox.com
                                                                                                                                                    • www.nodejs.org

                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    0192.168.2.849705172.67.203.1254437616C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2024-10-31 18:46:07 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                                                                    Host: getsolara.dev
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    2024-10-31 18:46:07 UTC1017INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 31 Oct 2024 18:46:07 GMT
                                                                                                                                                    Content-Type: application/json
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                    Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                    ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jvArD5Hs70oP2hkJksLUclu0dV333uzhQvzce0Lg10p4e6VgVPgIY6jl9dul3WrlIjUgXUlLA3mYYv6LBNN3TJQXdQCLJtwYR5PineGVPdJz%2BsN6zskiMs%2FAmVDaJe7H"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                    Strict-Transport-Security: max-age=0
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8db5ce5729d34752-DFW
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1874&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2813&recv_bytes=695&delivery_rate=1584245&cwnd=251&unsent_bytes=0&cid=8a73d6c4d7806e37&ts=277&x=0"
                                                                                                                                                    2024-10-31 18:46:07 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                                                                    Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                                                                    2024-10-31 18:46:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    1192.168.2.849707172.67.203.1254437616C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2024-10-31 18:46:10 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                                                                    Host: getsolara.dev
                                                                                                                                                    2024-10-31 18:46:10 UTC1016INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 31 Oct 2024 18:46:10 GMT
                                                                                                                                                    Content-Type: application/json
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                    Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                    ETag: W/"a72e086f622b38afe59e084f73bd2f20"
                                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fL0Xd9gUzdJWAIeyZ0rN8h5M4f8l30HyXJs4YwijBc06LNRhsTgKaZWPCOwBbjAKoqTQ%2B6OBHfjfAU3VEdRLGm4jkKCPmbURRqCgpsoiSNGC3QchMNA9N%2BEtNZW4dfm9"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                    Strict-Transport-Security: max-age=0
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8db5ce69cea0e98f-DFW
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1209&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=694&delivery_rate=2466780&cwnd=40&unsent_bytes=0&cid=9aded624f517f9b3&ts=248&x=0"
                                                                                                                                                    2024-10-31 18:46:10 UTC353INData Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 32 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 62 37 65 65 62 63 39 31 39 65 39 36 34 37 37 61 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 35 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 30 39 36 65 39 38 64 39 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                                                                    Data Ascii: 21c{ "BootstrapperVersion": "1.22", "SupportedClient": "version-b7eebc919e96477a", "SoftwareVersion": "3.125", "BootstrapperUrl": "https://096e98d9.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                                                                    2024-10-31 18:46:10 UTC194INData Raw: 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 64 64 38 65 63 62 61 36 30 32 39 36 61 64 34 62 39 36 32 66 63 32 61 34 66 33 36 65 38 33 34 32 61 33 32 39 65 62 34 66 30 66 34 31 64 31 33 30 31 65 65 37 38 39 31 63 31 31 34 34 34 33 35 38 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 55 70 64 61 74 65 64 22 0a 7d 0d 0a
                                                                                                                                                    Data Ascii: ://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"dd8ecba60296ad4b962fc2a4f36e8342a329eb4f0f41d1301ee7891c11444358", "Changelog":"[+] Updated"}
                                                                                                                                                    2024-10-31 18:46:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    2192.168.2.849709128.116.44.44437616C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2024-10-31 18:46:11 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                                                                    Host: clientsettings.roblox.com
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    2024-10-31 18:46:12 UTC576INHTTP/1.1 200 OK
                                                                                                                                                    content-length: 119
                                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                                    date: Thu, 31 Oct 2024 18:46:11 GMT
                                                                                                                                                    server: Kestrel
                                                                                                                                                    cache-control: no-cache
                                                                                                                                                    strict-transport-security: max-age=3600
                                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                                    roblox-machine-id: d845e8bd-e2db-db17-c71a-088763b68f55
                                                                                                                                                    x-roblox-region: us-central_rbx
                                                                                                                                                    x-roblox-edge: fra4
                                                                                                                                                    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                                                                    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                                                                    connection: close
                                                                                                                                                    2024-10-31 18:46:12 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 34 39 2e 30 2e 36 34 39 30 38 37 38 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 62 37 65 65 62 63 39 31 39 65 39 36 34 37 37 61 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 34 39 30 38 37 38 22 7d
                                                                                                                                                    Data Ascii: {"version":"0.649.0.6490878","clientVersionUpload":"version-b7eebc919e96477a","bootstrapperVersion":"1, 6, 0, 6490878"}


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    3192.168.2.849713104.20.22.464437616C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2024-10-31 18:46:14 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                                                                    Host: www.nodejs.org
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    2024-10-31 18:46:14 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                                                                    Date: Thu, 31 Oct 2024 18:46:14 GMT
                                                                                                                                                    Content-Type: text/plain
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                    location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                    x-vercel-id: cle1::rrvsl-1730400374647-0252c4e0fe89
                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8db5ce83bf49e72e-DFW
                                                                                                                                                    2024-10-31 18:46:14 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                                                                    Data Ascii: fRedirecting...
                                                                                                                                                    2024-10-31 18:46:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:14:46:03
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Users\user\Desktop\IM3OLcx7li.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\IM3OLcx7li.exe"
                                                                                                                                                    Imagebase:0xbb0000
                                                                                                                                                    File size:907'776 bytes
                                                                                                                                                    MD5 hash:5DE66177F354C6897C28610C4F7BAE57
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1419994885.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:14:46:03
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                                                                                                    Imagebase:0x450000
                                                                                                                                                    File size:75'264 bytes
                                                                                                                                                    MD5 hash:06DF71794E08473F20B46AA17C389269
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1417942243.0000000000452000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:3
                                                                                                                                                    Start time:14:46:03
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\Bootstrapper.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Bootstrapper.exe"
                                                                                                                                                    Imagebase:0x26c241b0000
                                                                                                                                                    File size:819'200 bytes
                                                                                                                                                    MD5 hash:2A4DCF20B82896BE94EB538260C5FB93
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    • Detection: 63%, ReversingLabs
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:4
                                                                                                                                                    Start time:14:46:03
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:5
                                                                                                                                                    Start time:14:46:04
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"cmd" /c ipconfig /all
                                                                                                                                                    Imagebase:0x7ff77f880000
                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:6
                                                                                                                                                    Start time:14:46:04
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:7
                                                                                                                                                    Start time:14:46:04
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:ipconfig /all
                                                                                                                                                    Imagebase:0x7ff764be0000
                                                                                                                                                    File size:35'840 bytes
                                                                                                                                                    MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:8
                                                                                                                                                    Start time:14:46:08
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\user\AppData\Roaming\FluxusV1.2"
                                                                                                                                                    Imagebase:0x7ff73f770000
                                                                                                                                                    File size:235'008 bytes
                                                                                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:9
                                                                                                                                                    Start time:14:46:08
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:10
                                                                                                                                                    Start time:14:46:08
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:14
                                                                                                                                                    Start time:14:46:13
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7616 -s 2192
                                                                                                                                                    Imagebase:0x7ff629370000
                                                                                                                                                    File size:570'736 bytes
                                                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:16
                                                                                                                                                    Start time:14:46:16
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:21
                                                                                                                                                    Start time:14:46:24
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:24
                                                                                                                                                    Start time:14:47:01
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:26
                                                                                                                                                    Start time:14:48:00
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:27
                                                                                                                                                    Start time:14:49:00
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:28
                                                                                                                                                    Start time:14:50:00
                                                                                                                                                    Start date:31/10/2024
                                                                                                                                                    Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\OpenWith.exe "C:\Users\user\AppData\Roaming\FluxusV1.2"
                                                                                                                                                    Imagebase:0x7ff6faca0000
                                                                                                                                                    File size:123'984 bytes
                                                                                                                                                    MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    Disassembly

                                                                                                                                                    Reset < >

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00007FFB4B0410ED Relevance: .4, Instructions: 427COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d5158105cc1d0cdd22eb6a43535b36a07e2257c94bc5c86e1acab1806496d416
                                                                                                                                                      • Instruction ID: 4c0e51fdb17e3f5a7047347166c7bbbdab2bba106005c8911032e6923fc489b2
                                                                                                                                                      • Opcode Fuzzy Hash: d5158105cc1d0cdd22eb6a43535b36a07e2257c94bc5c86e1acab1806496d416
                                                                                                                                                      • Instruction Fuzzy Hash: BD31C761A1DAD94FE785FF7898596B97FE1EF99201F0400BBE44DC32A3DD189C058711
                                                                                                                                                      Function 00007FFB4B0409F7 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 954868a38a85a660aab0f9d6d16d5f262438259156422bc876771dd97813f853
                                                                                                                                                      • Instruction ID: 31d7f346add4e3be59da64588e847caa8c87e50d9146fff46ea7182f5a91d003
                                                                                                                                                      • Opcode Fuzzy Hash: 954868a38a85a660aab0f9d6d16d5f262438259156422bc876771dd97813f853
                                                                                                                                                      • Instruction Fuzzy Hash: 80716B70A199198FEB98EF78C458BA977E2FF54315F104169E41ED32E2DE38AC46CB40
                                                                                                                                                      Function 00007FFB4B040D80 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 28ddb18df594b5d5517a8047f1b1eff183095d0605ede743eb31e5cd02dd90f1
                                                                                                                                                      • Instruction ID: 27e670b8369da1a595f3b8dea959833fec30f46e0cf6dd21cf88fb40267cedfa
                                                                                                                                                      • Opcode Fuzzy Hash: 28ddb18df594b5d5517a8047f1b1eff183095d0605ede743eb31e5cd02dd90f1
                                                                                                                                                      • Instruction Fuzzy Hash: 9A3167A284E3C25FD7036B709C764A17FB09E4722170E40DBD8C5CF5A3E51C699AC762
                                                                                                                                                      Function 00007FFB4B040498 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ffcbef15e2a052de0906533aa34a5b31bb82e07f757861f67141fc95229f5d71
                                                                                                                                                      • Instruction ID: 76067c9001f1cfeaeb9b63a246a4c427ed715de3120596cde7a855fb5d05e096
                                                                                                                                                      • Opcode Fuzzy Hash: ffcbef15e2a052de0906533aa34a5b31bb82e07f757861f67141fc95229f5d71
                                                                                                                                                      • Instruction Fuzzy Hash: A1217771B1995D4FEB84FF7CC8996B97BD1EF98302B04007AE80DD32A3DD28A8458740
                                                                                                                                                      Function 00007FFB4B040951 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: dbc93d0f2e96769a00a449efba76a3e0074b1a196e85471e14a22affc2c96e88
                                                                                                                                                      • Instruction ID: 9e391f9f7100fda8da43c7e0437ccf95b44e6ee1fc436a3165fbd758737843b1
                                                                                                                                                      • Opcode Fuzzy Hash: dbc93d0f2e96769a00a449efba76a3e0074b1a196e85471e14a22affc2c96e88
                                                                                                                                                      • Instruction Fuzzy Hash: 2F11E0B0D08A488FEB48DFB8C4452DDBBF0EF48310F108169D444B7292DF3899428B81
                                                                                                                                                      Function 00007FFB4B040E71 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8215b2aec5232817e44c768b76c3f6547e74ecae9cd535708e01a594e90ab1aa
                                                                                                                                                      • Instruction ID: 99dd4380ce0760a466defa67d3f2981d88f073280e2b86b0d75522504f2fad90
                                                                                                                                                      • Opcode Fuzzy Hash: 8215b2aec5232817e44c768b76c3f6547e74ecae9cd535708e01a594e90ab1aa
                                                                                                                                                      • Instruction Fuzzy Hash: 390126B1A1E6594FD798FB38C4915A873E1FF88305B4051B9C94AC3392EE2CEC428781
                                                                                                                                                      Function 00007FFB4B0404B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8737b2b4c4f2171cefea915fbfa71d9cb8ca4c4046291cee55141725e67993db
                                                                                                                                                      • Instruction ID: bb6e4da32bb48b508b3745c91a0cf921149e34760d3cb3ed5c93762aa53e0cab
                                                                                                                                                      • Opcode Fuzzy Hash: 8737b2b4c4f2171cefea915fbfa71d9cb8ca4c4046291cee55141725e67993db
                                                                                                                                                      • Instruction Fuzzy Hash: C1F0F470B1D9194FD698FB38C4406AD73D1EB88305B501179D50FC3381EE2CA8424781
                                                                                                                                                      Function 00007FFB4B0404A8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4aafbb7673903c311e806aafdbae68276746004d88e4df1139c8fef11f4369dc
                                                                                                                                                      • Instruction ID: aeea12d08867e08b66f3c6bf25aa1db1d180b2f8424f8206d9d375968a7edffd
                                                                                                                                                      • Opcode Fuzzy Hash: 4aafbb7673903c311e806aafdbae68276746004d88e4df1139c8fef11f4369dc
                                                                                                                                                      • Instruction Fuzzy Hash: C3F02860A1E65A4BD758FA3CD4415B9B3D1EF88305B505175D90EC3382DD2CF84247C5
                                                                                                                                                      Function 00007FFB4B040F3F Relevance: .0, Instructions: 30COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1420771079.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffb4b040000_IM3OLcx7li.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e77391fd051245118e9d097fce89ba24ef64847532c2a91171c5fc67143a88fc
                                                                                                                                                      • Instruction ID: e7bbe75866296aec3c62225077d668a9bd6153de02d90ddd4b582a225a14a128
                                                                                                                                                      • Opcode Fuzzy Hash: e77391fd051245118e9d097fce89ba24ef64847532c2a91171c5fc67143a88fc
                                                                                                                                                      • Instruction Fuzzy Hash: 6CE08692B1D9190BEB98797CA4562F9A7C5DBC8212B415035E50EC2793EC099C825245

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:22.5%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:6
                                                                                                                                                      Total number of Limit Nodes:0
                                                                                                                                                      execution_graph 4323 7ffb4b062b52 4324 7ffb4b0632e0 RtlSetProcessIsCritical 4323->4324 4326 7ffb4b063392 4324->4326 4319 7ffb4b062fe8 4320 7ffb4b062ff1 SetWindowsHookExW 4319->4320 4322 7ffb4b0630c1 4320->4322

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00007FFB4B06186D Relevance: 1.9, Strings: 1, Instructions: 624COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: CAL_^
                                                                                                                                                      • API String ID: 0-3140518731
                                                                                                                                                      • Opcode ID: 550dc82e307c86de9137d23ee0eb2a24097305dd2d7a3385cd942b1e06a2911d
                                                                                                                                                      • Instruction ID: 657163502078ce4507b2d6a44a9b1c2e62b5b57b64b32589abab58bf08f2bf9a
                                                                                                                                                      • Opcode Fuzzy Hash: 550dc82e307c86de9137d23ee0eb2a24097305dd2d7a3385cd942b1e06a2911d
                                                                                                                                                      • Instruction Fuzzy Hash: 5B12B3A1B2CA464FE799FB3CC46577977D2EF98301F4445BDE44EC3292DE28A8428781
                                                                                                                                                      Function 00007FFB4B069446 Relevance: .5, Instructions: 472COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 456 7ffb4b069446-7ffb4b069453 457 7ffb4b06945e-7ffb4b069527 456->457 458 7ffb4b069455-7ffb4b06945d 456->458 462 7ffb4b069529-7ffb4b069532 457->462 463 7ffb4b069593 457->463 458->457 462->463 464 7ffb4b069534-7ffb4b069540 462->464 465 7ffb4b069595-7ffb4b0695ba 463->465 466 7ffb4b069542-7ffb4b069554 464->466 467 7ffb4b069579-7ffb4b069591 464->467 472 7ffb4b0695bc-7ffb4b0695c5 465->472 473 7ffb4b069626 465->473 468 7ffb4b069558-7ffb4b06956b 466->468 469 7ffb4b069556 466->469 467->465 468->468 471 7ffb4b06956d-7ffb4b069575 468->471 469->468 471->467 472->473 475 7ffb4b0695c7-7ffb4b0695d3 472->475 474 7ffb4b069628-7ffb4b0696d0 473->474 486 7ffb4b0696d2-7ffb4b0696dc 474->486 487 7ffb4b06973e 474->487 476 7ffb4b06960c-7ffb4b069624 475->476 477 7ffb4b0695d5-7ffb4b0695e7 475->477 476->474 479 7ffb4b0695eb-7ffb4b0695fe 477->479 480 7ffb4b0695e9 477->480 479->479 481 7ffb4b069600-7ffb4b069608 479->481 480->479 481->476 486->487 489 7ffb4b0696de-7ffb4b0696eb 486->489 488 7ffb4b069740-7ffb4b069769 487->488 496 7ffb4b06976b-7ffb4b069776 488->496 497 7ffb4b0697d3 488->497 490 7ffb4b0696ed-7ffb4b0696ff 489->490 491 7ffb4b069724-7ffb4b06973c 489->491 492 7ffb4b069701 490->492 493 7ffb4b069703-7ffb4b069716 490->493 491->488 492->493 493->493 495 7ffb4b069718-7ffb4b069720 493->495 495->491 496->497 499 7ffb4b069778-7ffb4b069786 496->499 498 7ffb4b0697d5-7ffb4b069866 497->498 507 7ffb4b06986c-7ffb4b06987b 498->507 500 7ffb4b0697bf-7ffb4b0697d1 499->500 501 7ffb4b069788-7ffb4b06979a 499->501 500->498 503 7ffb4b06979e-7ffb4b0697b1 501->503 504 7ffb4b06979c 501->504 503->503 505 7ffb4b0697b3-7ffb4b0697bb 503->505 504->503 505->500 508 7ffb4b06987d 507->508 509 7ffb4b069883-7ffb4b0698e8 call 7ffb4b069904 507->509 508->509 516 7ffb4b0698ef-7ffb4b069903 509->516 517 7ffb4b0698ea 509->517 517->516
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 98ab5abfe8918f35d2ec9bac94442df4e5a45ba977c3c950d55d8c0d3b66dc89
                                                                                                                                                      • Instruction ID: 56dec93393b36089158d1cbf0adcf04c06670cf1ce09b14e01f793c5d54f02b0
                                                                                                                                                      • Opcode Fuzzy Hash: 98ab5abfe8918f35d2ec9bac94442df4e5a45ba977c3c950d55d8c0d3b66dc89
                                                                                                                                                      • Instruction Fuzzy Hash: 7BF1827090CA8D8FEBA8EF28C8557E937D1FF68311F44826EE84DC7691DB3499458B81
                                                                                                                                                      Function 00007FFB4B06A1F2 Relevance: .5, Instructions: 458COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 518 7ffb4b06a1f2-7ffb4b06a1ff 519 7ffb4b06a201-7ffb4b06a209 518->519 520 7ffb4b06a20a-7ffb4b06a2d7 518->520 519->520 524 7ffb4b06a2d9-7ffb4b06a2e2 520->524 525 7ffb4b06a343 520->525 524->525 527 7ffb4b06a2e4-7ffb4b06a2f0 524->527 526 7ffb4b06a345-7ffb4b06a36a 525->526 534 7ffb4b06a36c-7ffb4b06a375 526->534 535 7ffb4b06a3d6 526->535 528 7ffb4b06a2f2-7ffb4b06a304 527->528 529 7ffb4b06a329-7ffb4b06a341 527->529 530 7ffb4b06a308-7ffb4b06a31b 528->530 531 7ffb4b06a306 528->531 529->526 530->530 533 7ffb4b06a31d-7ffb4b06a325 530->533 531->530 533->529 534->535 537 7ffb4b06a377-7ffb4b06a383 534->537 536 7ffb4b06a3d8-7ffb4b06a3fd 535->536 543 7ffb4b06a3ff-7ffb4b06a409 536->543 544 7ffb4b06a46b 536->544 538 7ffb4b06a3bc-7ffb4b06a3d4 537->538 539 7ffb4b06a385-7ffb4b06a397 537->539 538->536 541 7ffb4b06a39b-7ffb4b06a3ae 539->541 542 7ffb4b06a399 539->542 541->541 545 7ffb4b06a3b0-7ffb4b06a3b8 541->545 542->541 543->544 546 7ffb4b06a40b-7ffb4b06a418 543->546 547 7ffb4b06a46d-7ffb4b06a49b 544->547 545->538 548 7ffb4b06a451-7ffb4b06a469 546->548 549 7ffb4b06a41a-7ffb4b06a42c 546->549 554 7ffb4b06a49d-7ffb4b06a4a8 547->554 555 7ffb4b06a50b 547->555 548->547 550 7ffb4b06a430-7ffb4b06a443 549->550 551 7ffb4b06a42e 549->551 550->550 553 7ffb4b06a445-7ffb4b06a44d 550->553 551->550 553->548 554->555 556 7ffb4b06a4aa-7ffb4b06a4b8 554->556 557 7ffb4b06a50d-7ffb4b06a5e5 555->557 558 7ffb4b06a4f1-7ffb4b06a509 556->558 559 7ffb4b06a4ba-7ffb4b06a4cc 556->559 567 7ffb4b06a5eb-7ffb4b06a5fa 557->567 558->557 560 7ffb4b06a4d0-7ffb4b06a4e3 559->560 561 7ffb4b06a4ce 559->561 560->560 563 7ffb4b06a4e5-7ffb4b06a4ed 560->563 561->560 563->558 568 7ffb4b06a602-7ffb4b06a664 call 7ffb4b06a680 567->568 569 7ffb4b06a5fc 567->569 576 7ffb4b06a66b-7ffb4b06a67f 568->576 577 7ffb4b06a666 568->577 569->568 577->576
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c1a4dc9500840dd2cef12126273a61acc451a114a72cc6c3c38d9b435b3c4b5e
                                                                                                                                                      • Instruction ID: 2ef5153cfa3c3b3510d6f8e9c1b3f4e87dfa96c622edf5a76949ea9442a7c6ca
                                                                                                                                                      • Opcode Fuzzy Hash: c1a4dc9500840dd2cef12126273a61acc451a114a72cc6c3c38d9b435b3c4b5e
                                                                                                                                                      • Instruction Fuzzy Hash: 24E1B37090CA4E8FEBA8EF2CC8557E977D1FF54311F04826EE84DC7291DA78A8558B81
                                                                                                                                                      Function 00007FFB4B062059 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c69a277a5cc96b331bc1a4a4f01e237be2ceeed0f3495fbc94e7856a87513bb2
                                                                                                                                                      • Instruction ID: f9b6dd98ea30e9460ff7b0f60bbe3bcd44850d71a7e0621b0c79b67887fe72c4
                                                                                                                                                      • Opcode Fuzzy Hash: c69a277a5cc96b331bc1a4a4f01e237be2ceeed0f3495fbc94e7856a87513bb2
                                                                                                                                                      • Instruction Fuzzy Hash: 1D511291A1E6C50FEB96BB7C98652757FD5DF9B216B0800FEE08DC72A3DD189806C342
                                                                                                                                                      Function 00007FFB4B0632AD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 236 7ffb4b0632ad-7ffb4b063390 RtlSetProcessIsCritical 240 7ffb4b063392 236->240 241 7ffb4b063398-7ffb4b0633cd 236->241 240->241
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2695349919-0
                                                                                                                                                      • Opcode ID: 73c9425c446ae6b6b6ca97766d7af9fdf56eb7d03dd5001e46ee5fd293315f65
                                                                                                                                                      • Instruction ID: 36f4c10b9d2d5aeb173867694ac58baa0229b1cfe98b46589cfc7814d1e10478
                                                                                                                                                      • Opcode Fuzzy Hash: 73c9425c446ae6b6b6ca97766d7af9fdf56eb7d03dd5001e46ee5fd293315f65
                                                                                                                                                      • Instruction Fuzzy Hash: 3341C37180C6588FD719DFA8D849BE9BBF0FF56311F04416ED08AD3692CB74A846CB91
                                                                                                                                                      Function 00007FFB4B062FE8 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 243 7ffb4b062fe8-7ffb4b062fef 244 7ffb4b062ff1-7ffb4b062ff9 243->244 245 7ffb4b062ffa-7ffb4b06306d 243->245 244->245 249 7ffb4b0630f9-7ffb4b0630fd 245->249 250 7ffb4b063073-7ffb4b063078 245->250 251 7ffb4b063082-7ffb4b0630bf SetWindowsHookExW 249->251 252 7ffb4b06307f-7ffb4b063080 250->252 253 7ffb4b0630c1 251->253 254 7ffb4b0630c7-7ffb4b0630f8 251->254 252->251 253->254
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HookWindows
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2559412058-0
                                                                                                                                                      • Opcode ID: f7673fe74a3ccf68136782b5f7d177cd7c2ecb29eca44206c9a06e3e668296a1
                                                                                                                                                      • Instruction ID: 05389de5a51f78e7cc8a661d50ff80380b52daef98684b0b65b3281175ac3eb8
                                                                                                                                                      • Opcode Fuzzy Hash: f7673fe74a3ccf68136782b5f7d177cd7c2ecb29eca44206c9a06e3e668296a1
                                                                                                                                                      • Instruction Fuzzy Hash: 4741F67190CA4D8FEB18EF6CD8466F9BBE1EB59321F00427ED049D3292CA64A81687C5
                                                                                                                                                      Function 00007FFB4B062B52 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 257 7ffb4b062b52-7ffb4b06332a 260 7ffb4b063332-7ffb4b063390 RtlSetProcessIsCritical 257->260 261 7ffb4b063392 260->261 262 7ffb4b063398-7ffb4b0633cd 260->262 261->262
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2695349919-0
                                                                                                                                                      • Opcode ID: c42227a6384365fe4be911bf1794875dc1fab1c1384d24fc57f6c52b7d468793
                                                                                                                                                      • Instruction ID: 3ec5ca138a25942d392735b78e2dc53ea0975c85ce51a75ac6096ccd3b6933bb
                                                                                                                                                      • Opcode Fuzzy Hash: c42227a6384365fe4be911bf1794875dc1fab1c1384d24fc57f6c52b7d468793
                                                                                                                                                      • Instruction Fuzzy Hash: 5E31C27190CA188FDB28DF5CD849BF9BBE0FF65311F14412EE08AD3691CB7468468B91

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 00007FFB4B060EBD Relevance: .2, Instructions: 227COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000002.00000002.3894100220.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_2_2_7ffb4b060000_XClient.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4c4eaf6c4fe5e7673e9799b4b97ad0ef506f7442a5d2a6bf1890a0a60a22d5fe
                                                                                                                                                      • Instruction ID: eb37f295d80044d5f100158c4e1ffc9e5f9a9f7da7727ceeea5f67222bffad87
                                                                                                                                                      • Opcode Fuzzy Hash: 4c4eaf6c4fe5e7673e9799b4b97ad0ef506f7442a5d2a6bf1890a0a60a22d5fe
                                                                                                                                                      • Instruction Fuzzy Hash: 5E61DAA3E0D66146E61277BCF4660E93764DF8233970845FBC68D8A1939D18B04F8AE9

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00007FFB4B056DB0 Relevance: 2.2, Strings: 1, Instructions: 940COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: H
                                                                                                                                                      • API String ID: 0-2852464175
                                                                                                                                                      • Opcode ID: 56b94888a4270540ac78b9b2c9cecf0676bfd91518318e9590b009019be1635b
                                                                                                                                                      • Instruction ID: 750dc4d53db19f125e98e6d552692d016c067a41e92ba16d142a84409e33af1a
                                                                                                                                                      • Opcode Fuzzy Hash: 56b94888a4270540ac78b9b2c9cecf0676bfd91518318e9590b009019be1635b
                                                                                                                                                      • Instruction Fuzzy Hash: 02628070A1CA498FDB98EF2CC855AA977E1FF68301F0541B9E44DD72A2CE24EC42C781
                                                                                                                                                      Function 00007FFB4B062540 Relevance: .6, Instructions: 623COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4a903906334a396da2c1915cc98722b64a7165cb8b532411f13eac40db4f6ffd
                                                                                                                                                      • Instruction ID: d631fd5169384c575970807a01a96ec7807bc7d7881ed10996011cd3cb9bbb59
                                                                                                                                                      • Opcode Fuzzy Hash: 4a903906334a396da2c1915cc98722b64a7165cb8b532411f13eac40db4f6ffd
                                                                                                                                                      • Instruction Fuzzy Hash: D922F4B151CB858FD759EF3CC4546A2BBE1FFA5301F0486BED48A872A2DE24E845C781
                                                                                                                                                      Function 00007FFB4B05A7DA Relevance: 3.1, Strings: 2, Instructions: 551COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: vW_H$yW_H
                                                                                                                                                      • API String ID: 0-40145839
                                                                                                                                                      • Opcode ID: 9a201a1317377425934b34830abdbdc0a786b66ca161a4cc9c78b6955ede1ebc
                                                                                                                                                      • Instruction ID: dd0e1ea9fc673e1b29e6cd64252164ef1899869873fbd8a1e03f1ff289279c5a
                                                                                                                                                      • Opcode Fuzzy Hash: 9a201a1317377425934b34830abdbdc0a786b66ca161a4cc9c78b6955ede1ebc
                                                                                                                                                      • Instruction Fuzzy Hash: 1D125FB1E1991D8FEBA4EA6CD899BE877E1FB58341F0041F5D10DD3292DE386D828B50
                                                                                                                                                      Function 00007FFB4B06F5B0 Relevance: 2.2, Strings: 1, Instructions: 911COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: ,K_L
                                                                                                                                                      • API String ID: 0-4112966043
                                                                                                                                                      • Opcode ID: daa721cd2c28753bcc53fc7e9d6313b6f3aad21b5da99e7b5828b74db97cd484
                                                                                                                                                      • Instruction ID: fde98341652d633d4b23ab7152ad6d7707eb099271d378ff7c35453ab4e11b45
                                                                                                                                                      • Opcode Fuzzy Hash: daa721cd2c28753bcc53fc7e9d6313b6f3aad21b5da99e7b5828b74db97cd484
                                                                                                                                                      • Instruction Fuzzy Hash: F3D15AB2A1DA8A4FE749AE3CD8551B937D1EFA5351F0441BED48DC3293ED28E8078381
                                                                                                                                                      Function 00007FFB4B0679D0 Relevance: 2.1, Strings: 1, Instructions: 809COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: \
                                                                                                                                                      • API String ID: 0-2967466578
                                                                                                                                                      • Opcode ID: d97eec8094f32264fe9d712036b7e69063806d7cf0abfbd4d1df721a6e7f7bea
                                                                                                                                                      • Instruction ID: 902a08d031ed272a91d3b230904dd93c582de980e35632f3861c747fc9c5d03e
                                                                                                                                                      • Opcode Fuzzy Hash: d97eec8094f32264fe9d712036b7e69063806d7cf0abfbd4d1df721a6e7f7bea
                                                                                                                                                      • Instruction Fuzzy Hash: DC4213B1A1CB454FE769EE3CC4956797BD1EF85301F0480BED58EC32A2DD28B8468791
                                                                                                                                                      Function 00007FFB4B05B09A Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: d
                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                      • Opcode ID: 7a53f20200771df14dca1e41237f1d7bc2a6be34eda9807accf92c0caf0c6d1a
                                                                                                                                                      • Instruction ID: d93b4ef1764f47bae8257f84f53cacd5459d12591c001577ba30067f06449e58
                                                                                                                                                      • Opcode Fuzzy Hash: 7a53f20200771df14dca1e41237f1d7bc2a6be34eda9807accf92c0caf0c6d1a
                                                                                                                                                      • Instruction Fuzzy Hash: 70C11470A1CB898FD769EF28C440A75B7E1FF95301B1485BDD18AC76A2DE39F8428781
                                                                                                                                                      Function 00007FFB4B0593B0 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: d
                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                      • Opcode ID: d2ba6d8bd4e85977bf5dc9907626b9539a4570baf8585998f76b29c49c7d57cd
                                                                                                                                                      • Instruction ID: 14fc93e0c5f2bb2e4be7c7bc337dcbbffcccd98bdec4df42a0526bca94625334
                                                                                                                                                      • Opcode Fuzzy Hash: d2ba6d8bd4e85977bf5dc9907626b9539a4570baf8585998f76b29c49c7d57cd
                                                                                                                                                      • Instruction Fuzzy Hash: 1FC1E0B061CB498FD769EE28D481A35B3E1FF95301B14857DD18AC3AA6DE35F8438B81
                                                                                                                                                      Function 00007FFB4B069860 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: d
                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                      • Opcode ID: adbc08afbacc84607557ca2c23987a5433de2cf1a9009f2bd5eb752209de80b1
                                                                                                                                                      • Instruction ID: 59f4f675ef253fc23926b39946be1a24b900f57417c83b7ce7e15fc53424c83c
                                                                                                                                                      • Opcode Fuzzy Hash: adbc08afbacc84607557ca2c23987a5433de2cf1a9009f2bd5eb752209de80b1
                                                                                                                                                      • Instruction Fuzzy Hash: 6EB1CDB0A1CB458FD769EE2CD442636B3E1FF99301B14857DD58AC36A2DA35F8438B81
                                                                                                                                                      Function 00007FFB4B05D35F Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: kk
                                                                                                                                                      • API String ID: 0-3092815392
                                                                                                                                                      • Opcode ID: cd629dd5a439d2ef8805db2c315e86168f57630187a672a167d947d7a030f5d1
                                                                                                                                                      • Instruction ID: 2c11fb402eaa8f56e4a7f4b56fa4dd9d6339dd6f7c93bd9077ffcf38ec735d63
                                                                                                                                                      • Opcode Fuzzy Hash: cd629dd5a439d2ef8805db2c315e86168f57630187a672a167d947d7a030f5d1
                                                                                                                                                      • Instruction Fuzzy Hash: A3B18FA0A1CA494FEB99FF38C055EB477D1EF58301B0481BAD94EC76A7DD28E846C781
                                                                                                                                                      Function 00007FFB4B0548E0 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: ?K_H
                                                                                                                                                      • API String ID: 0-2967985651
                                                                                                                                                      • Opcode ID: e1467d517c2f7c7f28383c0bc4068e8691d6f038ea01fd180ea0a3f0c5806d5c
                                                                                                                                                      • Instruction ID: 2e8a0e247d0897b0ab9bb010615c45d8b3da6d1895967ba93dcf4e6030a16d0b
                                                                                                                                                      • Opcode Fuzzy Hash: e1467d517c2f7c7f28383c0bc4068e8691d6f038ea01fd180ea0a3f0c5806d5c
                                                                                                                                                      • Instruction Fuzzy Hash: A9B126A0A0C74A4FE765BE3CC9542B937D1EF46302F0585BED68AC72E3ED2C68468351
                                                                                                                                                      Function 00007FFB4B06D668 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: dK_H
                                                                                                                                                      • API String ID: 0-2901103952
                                                                                                                                                      • Opcode ID: 1c053aceb85a50faa606f95e6e759a2a020938f5b26633d043c72f228ffa7835
                                                                                                                                                      • Instruction ID: e6117de7aa005f2d56481754d5f3d81b354211ee8b98b92841cf630ae8bbd04c
                                                                                                                                                      • Opcode Fuzzy Hash: 1c053aceb85a50faa606f95e6e759a2a020938f5b26633d043c72f228ffa7835
                                                                                                                                                      • Instruction Fuzzy Hash: 31511BA270DE4E1FE799EA7C98591753BC1EBE826270583BFD04DC72A2ED149C428381
                                                                                                                                                      Function 00007FFB4B056C90 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: #S_H
                                                                                                                                                      • API String ID: 0-3088959260
                                                                                                                                                      • Opcode ID: 56d5d344f8df17d52f463ad85f873634378d12dd05c2161d29f212cd105cabb3
                                                                                                                                                      • Instruction ID: abd9a401fe9fb0e3ead4904a43d0c34e61d708e8acd1482958f75fa07b505eb5
                                                                                                                                                      • Opcode Fuzzy Hash: 56d5d344f8df17d52f463ad85f873634378d12dd05c2161d29f212cd105cabb3
                                                                                                                                                      • Instruction Fuzzy Hash: 1E711E70A18A4E8FDFD4EF2CC495EA977E1FF68342B044579E54AD37A1CA24E841C784
                                                                                                                                                      Function 00007FFB4B057C50 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: _
                                                                                                                                                      • API String ID: 0-701932520
                                                                                                                                                      • Opcode ID: f646682954f4094e7dd41ee577eba6b919295d7a8a7e43ff8ac5941282d715f1
                                                                                                                                                      • Instruction ID: 1c108da76daec25a2c0a9fb3b6ca41cef732560b75c02404318113298e5107b1
                                                                                                                                                      • Opcode Fuzzy Hash: f646682954f4094e7dd41ee577eba6b919295d7a8a7e43ff8ac5941282d715f1
                                                                                                                                                      • Instruction Fuzzy Hash: 30315963A0D6550FD315EB7CE8A25E93BE0DF42261B0880F7D5CCCB2A3DC0CA8468795
                                                                                                                                                      Function 00007FFB4B05118C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                      • Opcode ID: 0bfc9eea6fce5f54c200aefe107d684d3fb1d018facf7a78d68e29b6cfda3be0
                                                                                                                                                      • Instruction ID: 20800478b7fd23bdbc98e09e9ca9cd02e9c467042d6dc27f6be46a309c7173d7
                                                                                                                                                      • Opcode Fuzzy Hash: 0bfc9eea6fce5f54c200aefe107d684d3fb1d018facf7a78d68e29b6cfda3be0
                                                                                                                                                      • Instruction Fuzzy Hash: 9111C47041D6C56FD7059BB884566BA7FE0DF0B209F0888EED9C6C72A3C629681BD742
                                                                                                                                                      Function 00007FFB4B057404 Relevance: .6, Instructions: 585COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f83dd5305f02fe641ef0c68a21365455c245fb2d6faddf31eb37fb1224fbd94b
                                                                                                                                                      • Instruction ID: 6a2ce7081b5fe9559cb2e2702dd665339b966c62d485e4f49c7915ae6b10965a
                                                                                                                                                      • Opcode Fuzzy Hash: f83dd5305f02fe641ef0c68a21365455c245fb2d6faddf31eb37fb1224fbd94b
                                                                                                                                                      • Instruction Fuzzy Hash: 9502F670A0CA494FD759EB2CD495AB97BE1FF99301F04817ED48EC36A6CE24E846C781
                                                                                                                                                      Function 00007FFB4B05FA56 Relevance: .6, Instructions: 561COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0dbfcf44f51d49935912aa1d56b6305c98eab2c4e8ce9492324536e516789544
                                                                                                                                                      • Instruction ID: 80cf4d3776e4003c3d7db9302266ea2b9e5ad052d576cf001594943f31ef733b
                                                                                                                                                      • Opcode Fuzzy Hash: 0dbfcf44f51d49935912aa1d56b6305c98eab2c4e8ce9492324536e516789544
                                                                                                                                                      • Instruction Fuzzy Hash: B40295B061CB894FE754EF28C455A6ABBD2FF99341F04857ED48DC33A2DE38A8458742
                                                                                                                                                      Function 00007FFB4B055968 Relevance: .6, Instructions: 554COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0268865662cee6d90774a1be6203326993b08098c971e3e5faed959b2982a406
                                                                                                                                                      • Instruction ID: 413d4d5ec9c66a3f84e410ce522cb5980688d8dfef8c39a6ac5637bef5bdb820
                                                                                                                                                      • Opcode Fuzzy Hash: 0268865662cee6d90774a1be6203326993b08098c971e3e5faed959b2982a406
                                                                                                                                                      • Instruction Fuzzy Hash: 540286B061CB894FE754EF28C455A6AB7D2FF99341F04857EE48DC33A2DE38A8458742
                                                                                                                                                      Function 00007FFB4B066F9D Relevance: .5, Instructions: 535COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3952f6a7ecd658dc94f0ba0865deea599b0de71501261977620beddf61ddd777
                                                                                                                                                      • Instruction ID: b66ca2347978d52f0301b52d3c98426b1e1ba0aae5d2c16ea610aeef93140dc7
                                                                                                                                                      • Opcode Fuzzy Hash: 3952f6a7ecd658dc94f0ba0865deea599b0de71501261977620beddf61ddd777
                                                                                                                                                      • Instruction Fuzzy Hash: E2E138A1B1CB494FE755AB3C98562B87BD1EF99301F0841FED94DC73A3DD28A8428381
                                                                                                                                                      Function 00007FFB4B06BD9E Relevance: .5, Instructions: 462COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 01512bd3effdaa1bf24455bf4787dd903d8c7ecb5b737be4e6d75331c3413ad2
                                                                                                                                                      • Instruction ID: 2e982cdb79e26ee99a09ef735d313978ec3a5bc5460d81c48a39fbd03ad00760
                                                                                                                                                      • Opcode Fuzzy Hash: 01512bd3effdaa1bf24455bf4787dd903d8c7ecb5b737be4e6d75331c3413ad2
                                                                                                                                                      • Instruction Fuzzy Hash: 5BE108A190D6850FE726AB7C99621B97BE1EF47301B0885FFC58AC72E7DD1C68078342
                                                                                                                                                      Function 00007FFB4B0509FF Relevance: .4, Instructions: 449COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c8e0cae78a328b1fde5a54979b38235bf1033300b786898a0d2108473afe4490
                                                                                                                                                      • Instruction ID: 9cd9abc4acd2b2244fda8dd40177ad7a005f6d999ac688a2156c60a78d635ed6
                                                                                                                                                      • Opcode Fuzzy Hash: c8e0cae78a328b1fde5a54979b38235bf1033300b786898a0d2108473afe4490
                                                                                                                                                      • Instruction Fuzzy Hash: 33E1CE70A0DA494FEB59EFB8C466ABDBBE1EF45301F0484FDC54AC76A3DD2868468740
                                                                                                                                                      Function 00007FFB4B066EAC Relevance: .4, Instructions: 445COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 90b613059b6f06fbbf3f5f0c46c4cef2d7995c8d90ad8754742a1be310fcc901
                                                                                                                                                      • Instruction ID: e4d40813547f26abaa9e97ab294204de8bbc03e654477be586e5ce348a4458a9
                                                                                                                                                      • Opcode Fuzzy Hash: 90b613059b6f06fbbf3f5f0c46c4cef2d7995c8d90ad8754742a1be310fcc901
                                                                                                                                                      • Instruction Fuzzy Hash: 26C1E761B1CA494FDB95EB3CC45A6793BE1EF9960270941FEE58DC73A3DD28AC028341
                                                                                                                                                      Function 00007FFB4B0655A9 Relevance: .4, Instructions: 439COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2e07bfdb3182647a88f837d425259fc6b5e6a5c654baff481a7de14d13da65ee
                                                                                                                                                      • Instruction ID: fd3e58ecb0fa947f7234796a42cbf9b715e41a4eb6c685bad69eca8f252eb3f8
                                                                                                                                                      • Opcode Fuzzy Hash: 2e07bfdb3182647a88f837d425259fc6b5e6a5c654baff481a7de14d13da65ee
                                                                                                                                                      • Instruction Fuzzy Hash: 02D1F5A0A1C60A4FE729BE3CD9912B977D1EF65301F15C5BEC18EC72E2CC29B8424351
                                                                                                                                                      Function 00007FFB4B05C0E0 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5cc7908a9a4224b16d4d459a8e0e4dfd7e396d918219ff3c1d436380cf85d6f6
                                                                                                                                                      • Instruction ID: a0f863d15688fd8e458ad7e551e000bc2a9abab5d8ca52d779527bdd16b961b1
                                                                                                                                                      • Opcode Fuzzy Hash: 5cc7908a9a4224b16d4d459a8e0e4dfd7e396d918219ff3c1d436380cf85d6f6
                                                                                                                                                      • Instruction Fuzzy Hash: 3CB155A3B0DD4E0FF7B9EA7C945967527C1EBA9252B1480BBD58DC37B1DC189C064381
                                                                                                                                                      Function 00007FFB4B05C419 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3ca656fa80346d099d7edb61f554d3c4de6610cbb45839ebba8f6e9887f106fd
                                                                                                                                                      • Instruction ID: d22c730e6f2a0533cc33cc71c49e58490052ec3791187245a815179a3215ce35
                                                                                                                                                      • Opcode Fuzzy Hash: 3ca656fa80346d099d7edb61f554d3c4de6610cbb45839ebba8f6e9887f106fd
                                                                                                                                                      • Instruction Fuzzy Hash: DCC15E93A0D6564BE322BB7CF4655F83BE0DF42336B0881B7C68CCA593DD18744A46E5
                                                                                                                                                      Function 00007FFB4B056CD0 Relevance: .4, Instructions: 408COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 81d65ceb15ce839a4abe17d8be1984a24b84c25df7c0bb5a5ac8f0fb1c8e0f5a
                                                                                                                                                      • Instruction ID: 1eaa663f669b183e4fb7a037446efd9adf935097b90c508ea11dbb84597cb534
                                                                                                                                                      • Opcode Fuzzy Hash: 81d65ceb15ce839a4abe17d8be1984a24b84c25df7c0bb5a5ac8f0fb1c8e0f5a
                                                                                                                                                      • Instruction Fuzzy Hash: 22C1D270A0CA494FDB94FF2CC855AB97BE1FF99351B0441BEE54AC32A2DE24E8458781
                                                                                                                                                      Function 00007FFB4B05454D Relevance: .4, Instructions: 395COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b332e72ef8ce374e8bcb15dbc98281a7d56b3f242219b61292bf014f9e6fb656
                                                                                                                                                      • Instruction ID: e463d539b56cf836412be5171039b03a2f857148cd9d87d722aa45c0042736d4
                                                                                                                                                      • Opcode Fuzzy Hash: b332e72ef8ce374e8bcb15dbc98281a7d56b3f242219b61292bf014f9e6fb656
                                                                                                                                                      • Instruction Fuzzy Hash: DEC17C72B0CB564FD316BE7CE8451F87790EF81322B1446BBD248CB2A7DE25A84687D1
                                                                                                                                                      Function 00007FFB4B057D58 Relevance: .4, Instructions: 391COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3ec0c3d8d1f71fdad5f607b8404ee69b2a7efc2dd4437a278a9d6261414892ec
                                                                                                                                                      • Instruction ID: 374e1fa4b410e7d601ee0a78ba1210d28f557294e307d4134152bc4a4925c5a9
                                                                                                                                                      • Opcode Fuzzy Hash: 3ec0c3d8d1f71fdad5f607b8404ee69b2a7efc2dd4437a278a9d6261414892ec
                                                                                                                                                      • Instruction Fuzzy Hash: 8FB105A1A1C9494FEB99FE6CC84667937D1EF99351B0041BEE94EC72A3DD24EC438381
                                                                                                                                                      Function 00007FFB4B060FE6 Relevance: .4, Instructions: 390COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e851c4246cc663fb527dbf287893698cc9ea0cb302aa13bc71ad16d39d3d5f8b
                                                                                                                                                      • Instruction ID: 3a8c1c4c174e96d6a927a151e8de768ce6aba2e461e332bb388d080f94e1e752
                                                                                                                                                      • Opcode Fuzzy Hash: e851c4246cc663fb527dbf287893698cc9ea0cb302aa13bc71ad16d39d3d5f8b
                                                                                                                                                      • Instruction Fuzzy Hash: 9DC12AA1A0DACA0FE795EF7CD8556B83FD1EF9A251B0850FED588C72A3CD189816C341
                                                                                                                                                      Function 00007FFB4B05BD19 Relevance: .4, Instructions: 385COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: afaeb0077136bc6159cc48ace11c451e2eb10d8b645d8f5b2dcb70a880213cfd
                                                                                                                                                      • Instruction ID: e7571c5d2fdbf00596ff34daa05ab2a12c554616e348fe13c09e34b73a878448
                                                                                                                                                      • Opcode Fuzzy Hash: afaeb0077136bc6159cc48ace11c451e2eb10d8b645d8f5b2dcb70a880213cfd
                                                                                                                                                      • Instruction Fuzzy Hash: 4DA17A62A0CA4E0FE795EF7CD8569B57FD1EF85361B0841BAD54DC32A3ED15B8428380
                                                                                                                                                      Function 00007FFB4B056DB8 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f504e9351a78d57d3df00b6041628b1b24b75ae5d1be6cb4c4195070dc7264c0
                                                                                                                                                      • Instruction ID: 0d9955a4c79871ac6febfad17f661ece4fe0c7026d8a0d3e62e21bbf4aceabd6
                                                                                                                                                      • Opcode Fuzzy Hash: f504e9351a78d57d3df00b6041628b1b24b75ae5d1be6cb4c4195070dc7264c0
                                                                                                                                                      • Instruction Fuzzy Hash: 97B16AA390EA850FE355BA7CEC591A47FD1FF4126670842FFD189C72A7EC14AC168391
                                                                                                                                                      Function 00007FFB4B056D10 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: dded56899d496512be1bf676cc3e1a8838e5f5f47a6f28890c2aa16bcf3f4c92
                                                                                                                                                      • Instruction ID: 6bc8d342922d3cf4d5b60401fc1f1aa218e4d8b9f65de1ac3750a60974ad0812
                                                                                                                                                      • Opcode Fuzzy Hash: dded56899d496512be1bf676cc3e1a8838e5f5f47a6f28890c2aa16bcf3f4c92
                                                                                                                                                      • Instruction Fuzzy Hash: 7FA1D971A0CB484FEB68EF6CD8466B97BD1EF99311F04017EE589D3262DA25F841C782
                                                                                                                                                      Function 00007FFB4B05CA60 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6964be5c698a7b9089ef9f597700b27209f2304c184e0506b3bc8ccc94e3a44a
                                                                                                                                                      • Instruction ID: f34fedf75a9797598c4ec089c715726aba624f6a1c9234d4ca97945f1ae9380e
                                                                                                                                                      • Opcode Fuzzy Hash: 6964be5c698a7b9089ef9f597700b27209f2304c184e0506b3bc8ccc94e3a44a
                                                                                                                                                      • Instruction Fuzzy Hash: F081196171CD090FEAA5EB2CE859BB937D1EBD9362F0541BAD44DC33A2DD199C838381
                                                                                                                                                      Function 00007FFB4B05F5FA Relevance: .3, Instructions: 311COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 827725ac6f2686e6b50b3efeff2752c93bbff72e16ee85498531144b5cab034f
                                                                                                                                                      • Instruction ID: c850937ea442344866b73efb3a09a95d4413dd0b49ddd51b87f1b7414afe049e
                                                                                                                                                      • Opcode Fuzzy Hash: 827725ac6f2686e6b50b3efeff2752c93bbff72e16ee85498531144b5cab034f
                                                                                                                                                      • Instruction Fuzzy Hash: 993149B250CFC94FD740FA38C859AA5BBD1FF99351F0845BAD189C32B2DA18A8058382
                                                                                                                                                      Function 00007FFB4B056FE0 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 543de6b6f39db1d62e44d20c87a094a2b3cd726fc7fca9f02da85a2ec6eaa5c7
                                                                                                                                                      • Instruction ID: a63734e8856116cad5959e28c51f046855821aea307e606fd0bd87806373608b
                                                                                                                                                      • Opcode Fuzzy Hash: 543de6b6f39db1d62e44d20c87a094a2b3cd726fc7fca9f02da85a2ec6eaa5c7
                                                                                                                                                      • Instruction Fuzzy Hash: DE816AA190EBC54FD747AB3888759657FB0AF5720170D81EBC5C8CB6A3D91CA80AD326
                                                                                                                                                      Function 00007FFB4B05B4C4 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0373d7ce25aa6466235f77c3f690532478c612c1adbd4503e1d9a4843ad17ba3
                                                                                                                                                      • Instruction ID: 00e4ac58d1a2772c23c01a0b9e084cb5e0eaab12a0715cb34d7229a5b94ce127
                                                                                                                                                      • Opcode Fuzzy Hash: 0373d7ce25aa6466235f77c3f690532478c612c1adbd4503e1d9a4843ad17ba3
                                                                                                                                                      • Instruction Fuzzy Hash: CC911471A1CB4A8FD758EE3CD4859B6B7D0FB55321B14867DD18AC3692EE28F8428780
                                                                                                                                                      Function 00007FFB4B06B784 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c6517f1c22e5e882debb93595cb68406ec485fc60cb166d07dcd14b9c0b6e735
                                                                                                                                                      • Instruction ID: b01d7fc85ef33425b474b820d68ee34356aea187e635ab93befc77beaa65fc1c
                                                                                                                                                      • Opcode Fuzzy Hash: c6517f1c22e5e882debb93595cb68406ec485fc60cb166d07dcd14b9c0b6e735
                                                                                                                                                      • Instruction Fuzzy Hash: 969123B1A1CB4A4FD359EE2CD4865B6B7D0FF55311B14867ED48AC32A2EE34F8428780
                                                                                                                                                      Function 00007FFB4B0627FA Relevance: .3, Instructions: 301COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f90e14669aa042d1ade5e47dd5e2d9953b1e40cfd4de876c92a54d74e14c70e2
                                                                                                                                                      • Instruction ID: 9941aa4712143cb7aaf1fa9635ab0a6d76a946645d1ceded5665e2296c0423ac
                                                                                                                                                      • Opcode Fuzzy Hash: f90e14669aa042d1ade5e47dd5e2d9953b1e40cfd4de876c92a54d74e14c70e2
                                                                                                                                                      • Instruction Fuzzy Hash: 018178A2A0CA594FD751FB3CE4A55F93BD0EF95321B0041BBE589C72A3DD18E8068395
                                                                                                                                                      Function 00007FFB4B06BAC5 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7bf2d4ebc3a9697fb9289ee68207a4f9a1bda4509878d0fa8c0be43d6e8c835f
                                                                                                                                                      • Instruction ID: c5ffef7f2de59010f84826ac5ac705952d05ed16874eb062964c45c3b0c2a4b6
                                                                                                                                                      • Opcode Fuzzy Hash: 7bf2d4ebc3a9697fb9289ee68207a4f9a1bda4509878d0fa8c0be43d6e8c835f
                                                                                                                                                      • Instruction Fuzzy Hash: 708148B160DA4A4FE359EF3CD88667077E0FF55321B0841BED189C72A7E929B842C741
                                                                                                                                                      Function 00007FFB4B05595D Relevance: .3, Instructions: 285COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 68940ee311853899f17956f472ad938eaab07f3606d504f53a40843bfced4af3
                                                                                                                                                      • Instruction ID: b1d2402c9fbc161dc26cc20fc4bad925f9eeb5160e622cc86cce35ace3c1a83b
                                                                                                                                                      • Opcode Fuzzy Hash: 68940ee311853899f17956f472ad938eaab07f3606d504f53a40843bfced4af3
                                                                                                                                                      • Instruction Fuzzy Hash: D8815BA150CF8A5FE794FA3CC4597B5BBD1FF99351F0845BAC089C3692CD2CA8468382
                                                                                                                                                      Function 00007FFB4B059430 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cb5e51f72c32c1d414b0504c3b8004393f55d040491ea3f84804d002b18cb638
                                                                                                                                                      • Instruction ID: fc8b9cfb890040c0038438124b4c5e322a7b3a17527aee2d1dde8e24e772c76f
                                                                                                                                                      • Opcode Fuzzy Hash: cb5e51f72c32c1d414b0504c3b8004393f55d040491ea3f84804d002b18cb638
                                                                                                                                                      • Instruction Fuzzy Hash: 4C71587061CB8A8FD359EF3CD4818B577E0EF56311B10867ED58AC36A2DE28F8428781
                                                                                                                                                      Function 00007FFB4B06B28C Relevance: .2, Instructions: 234COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 00e8fdc712deea1d81a38610749fafe154e0fc495c0ed859ab7a1a7107085d2e
                                                                                                                                                      • Instruction ID: 0571d8f764e7e334d94d7dded69663d8f2429c18190e5bbe086d1cc3381e3bad
                                                                                                                                                      • Opcode Fuzzy Hash: 00e8fdc712deea1d81a38610749fafe154e0fc495c0ed859ab7a1a7107085d2e
                                                                                                                                                      • Instruction Fuzzy Hash: 6161F2B0A0DA894FE799EB3CC8567697BE1EF55301F0441BED04CC72A3DE28AC068751
                                                                                                                                                      Function 00007FFB4B069008 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b756efd63ecab99f7bcfdeded6fbb971ca0c5c1d0e286ab28b47e0861c3b2e14
                                                                                                                                                      • Instruction ID: 795e3d04f0f9405bba02c038be1b6740c814af64e1360df2b622c1552e3051ed
                                                                                                                                                      • Opcode Fuzzy Hash: b756efd63ecab99f7bcfdeded6fbb971ca0c5c1d0e286ab28b47e0861c3b2e14
                                                                                                                                                      • Instruction Fuzzy Hash: 6C614D91A0DBC50FE3529A7C98592657FD1EF6A251F1841FFC0C9CB6E3C915A846C381
                                                                                                                                                      Function 00007FFB4B0547C8 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 49f6805efccdb1aa82b0062c947f4ba0cf1626900cb5648ae5b300cc3a1f7d2f
                                                                                                                                                      • Instruction ID: 1370fc19bbf75f064b753b066f930e1a86fc4bf64ff2be6906f252cf440884a5
                                                                                                                                                      • Opcode Fuzzy Hash: 49f6805efccdb1aa82b0062c947f4ba0cf1626900cb5648ae5b300cc3a1f7d2f
                                                                                                                                                      • Instruction Fuzzy Hash: 5461F17061CB454FD768EF2CC4959B6B7E1EF95301F10867ED18AC72A2DE24F8468781
                                                                                                                                                      Function 00007FFB4B058F25 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f109cd6f7d108591af167c9e6113475fde95edd2dc9e5e65f72e1a4f89e3f772
                                                                                                                                                      • Instruction ID: 734066fd2768b98101b3c8a400e765f4f8a939f079294aac12dd0b72b96d555e
                                                                                                                                                      • Opcode Fuzzy Hash: f109cd6f7d108591af167c9e6113475fde95edd2dc9e5e65f72e1a4f89e3f772
                                                                                                                                                      • Instruction Fuzzy Hash: 0951CF6170CE0A4FEBE8EA6CD994E7467D2EF6C32274849BAD54DC77A6CD14EC418380
                                                                                                                                                      Function 00007FFB4B059440 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 56493ef10a72023bb8a3647536f09de22eb03bd80597f1c54f088097db55fdce
                                                                                                                                                      • Instruction ID: 2a59cd360efe6d35ad8762b4bbdd0da6d7e50f5dad7285700db8552922f5830c
                                                                                                                                                      • Opcode Fuzzy Hash: 56493ef10a72023bb8a3647536f09de22eb03bd80597f1c54f088097db55fdce
                                                                                                                                                      • Instruction Fuzzy Hash: 3051047161CA0A8FE759EF2CD984A7173E0FF99312B1446B9D54DC3662DE29F8438780
                                                                                                                                                      Function 00007FFB4B057D48 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5e1b6b7e7eb58c9501a139cd05a1376fc41bcd0b2ea55b28363d831109fcc4ca
                                                                                                                                                      • Instruction ID: 7b9574c1eb087edeab8e4a3d793a9789301b14eb794a08bf931ffc8b7972b4d0
                                                                                                                                                      • Opcode Fuzzy Hash: 5e1b6b7e7eb58c9501a139cd05a1376fc41bcd0b2ea55b28363d831109fcc4ca
                                                                                                                                                      • Instruction Fuzzy Hash: A6519CA2A0DE8A0FE3A5AA7CC45A2757FD1EF9A26270451FED18DC72B2DC149C178341
                                                                                                                                                      Function 00007FFB4B0628E8 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d88d60ebe4d93210e7090846827cfbc05deed41a45d0ba5585e15240c7ffcce1
                                                                                                                                                      • Instruction ID: 92724f1757037e2a0015516950c7bad39c6883ebf462a7dac1a72184daba2040
                                                                                                                                                      • Opcode Fuzzy Hash: d88d60ebe4d93210e7090846827cfbc05deed41a45d0ba5585e15240c7ffcce1
                                                                                                                                                      • Instruction Fuzzy Hash: 7F51E460B1CA594FDB95EA3CD455AB93BD1EFA8311F0441BBF44AC33A7CE28E8418381
                                                                                                                                                      Function 00007FFB4B061D91 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 486eec0ef6ef05ecd478742f44ce186adbb60fe0e5ad66cbed184d39611af88a
                                                                                                                                                      • Instruction ID: cb99f51ba9cf40ad5c03a565d12543aa81db137793f136e9ff2751aa8e5baf1b
                                                                                                                                                      • Opcode Fuzzy Hash: 486eec0ef6ef05ecd478742f44ce186adbb60fe0e5ad66cbed184d39611af88a
                                                                                                                                                      • Instruction Fuzzy Hash: 9D51DEA070C9494FEB95EF6CC894A7537D2EF99312B1451BAD94EC72A7CD28EC52C380
                                                                                                                                                      Function 00007FFB4B056738 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 01a033732c5a65f1bf7a39e2035712cc587d31c8e85a9aaac8304b78bb324406
                                                                                                                                                      • Instruction ID: 5f247b0c80f99729006d39773f59e7f756c07f0203c15c7aae8d55e3b109924f
                                                                                                                                                      • Opcode Fuzzy Hash: 01a033732c5a65f1bf7a39e2035712cc587d31c8e85a9aaac8304b78bb324406
                                                                                                                                                      • Instruction Fuzzy Hash: 39513AA290DA895FE741EBB8C8665F97FF0EF06241F0442FAC589972A3DD1828068751
                                                                                                                                                      Function 00007FFB4B06AFFA Relevance: .2, Instructions: 178COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d5e74b9b40c9a1f4453b9749fe74c5df22502d1842aa72ae13eef094ad36ad4f
                                                                                                                                                      • Instruction ID: 8f2594dbacbbb79ca3f38af5a7d8a5d5cb4bdf73543973be2b21b35dcbfd0abc
                                                                                                                                                      • Opcode Fuzzy Hash: d5e74b9b40c9a1f4453b9749fe74c5df22502d1842aa72ae13eef094ad36ad4f
                                                                                                                                                      • Instruction Fuzzy Hash: E6518FB1D1C9598EFB69EE6CD8953A87BA0FF58301F4041BED14DD72A2DE3468828B50
                                                                                                                                                      Function 00007FFB4B06162F Relevance: .2, Instructions: 162COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 683a6aa65ec291fbdd90440e945e6dd33c30068ca9f3bda3abe472425d666d8c
                                                                                                                                                      • Instruction ID: 3a07bbd0684e6f112c4b5ff72c473a0a3155474f8449c1de5bbc9b8bb1fbe400
                                                                                                                                                      • Opcode Fuzzy Hash: 683a6aa65ec291fbdd90440e945e6dd33c30068ca9f3bda3abe472425d666d8c
                                                                                                                                                      • Instruction Fuzzy Hash: EB41F9A1B1DE890FD785EF7C98561B87BE2EF99251B0841BED58DC3392DD246C0683C1
                                                                                                                                                      Function 00007FFB4B0590CA Relevance: .2, Instructions: 160COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 86c8b6fff01081afaba9d5221bd9c4be007b7581b2f32730790e2c52e039134f
                                                                                                                                                      • Instruction ID: 2d936de8437eb8f8d3ca7502d7956011e7f363b89ebff554effdcde214a0e104
                                                                                                                                                      • Opcode Fuzzy Hash: 86c8b6fff01081afaba9d5221bd9c4be007b7581b2f32730790e2c52e039134f
                                                                                                                                                      • Instruction Fuzzy Hash: 79416A2170C80D4FEBA4EE5CE588FA463D2EFA9361B1445BAE14DC73A6CA24DC468780
                                                                                                                                                      Function 00007FFB4B05F021 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1f3ebaa18241552bfa8c15eccb5ff3b035c87835d151e72e63a72b9b1559bdc5
                                                                                                                                                      • Instruction ID: f40594bb731cdf805d1d6ba27f54a77429b52c1018154a688566872e957f05fb
                                                                                                                                                      • Opcode Fuzzy Hash: 1f3ebaa18241552bfa8c15eccb5ff3b035c87835d151e72e63a72b9b1559bdc5
                                                                                                                                                      • Instruction Fuzzy Hash: A941286060DA890FE789EB3CD829A797BD1EF99311B0845FED48DC72A3DD18AC428340
                                                                                                                                                      Function 00007FFB4B055A71 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: bc09ed9be8dc76788fbc7f0416ef1935179839690a58372e3fe3b6e5f41bec51
                                                                                                                                                      • Instruction ID: a2561206b8e6278e2595d1fe987c338b6961c220aed1b846be2ba660c7359b8e
                                                                                                                                                      • Opcode Fuzzy Hash: bc09ed9be8dc76788fbc7f0416ef1935179839690a58372e3fe3b6e5f41bec51
                                                                                                                                                      • Instruction Fuzzy Hash: 63414962A1CD4E0FE798EB3CD855B7577D1FF98211B4441BAD18DC3696DD18EC028381
                                                                                                                                                      Function 00007FFB4B056DFB Relevance: .2, Instructions: 152COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 48cc474d7e9ff5c9d68ef323cdbc563402af4d2e5144d076185ddd349237e19d
                                                                                                                                                      • Instruction ID: b970af53e7eade56de01b6bb4c90c729673f60e76a7492842f46dfbcacaa8d53
                                                                                                                                                      • Opcode Fuzzy Hash: 48cc474d7e9ff5c9d68ef323cdbc563402af4d2e5144d076185ddd349237e19d
                                                                                                                                                      • Instruction Fuzzy Hash: 59417993F0DA960FE352FB7CE8A55F57BE0EF952A170841B7C189C2693DC18684782D0
                                                                                                                                                      Function 00007FFB4B05DC60 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c58d13748caecf6d805e6bbcb8295241907333a6e5a6ea9d97104bca77ef6cc9
                                                                                                                                                      • Instruction ID: 773318a72e41e2307bcd83898b94022b60975bbbaa354ae556d49b19ec414c4b
                                                                                                                                                      • Opcode Fuzzy Hash: c58d13748caecf6d805e6bbcb8295241907333a6e5a6ea9d97104bca77ef6cc9
                                                                                                                                                      • Instruction Fuzzy Hash: 6041C1B061CA8A8FDB65EB3CC094E727BD1EF59301B0485A9D18EC7AA2CD25F845D750
                                                                                                                                                      Function 00007FFB4B064CDA Relevance: .1, Instructions: 145COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 66251badd2633c0edf6d6b079c25fe2c0bd377eadaff54350f5668d96aeb7684
                                                                                                                                                      • Instruction ID: d3d47179b9794fab84c35321adf43d3b49439eeb4459d2bd23c1f064100fe0d8
                                                                                                                                                      • Opcode Fuzzy Hash: 66251badd2633c0edf6d6b079c25fe2c0bd377eadaff54350f5668d96aeb7684
                                                                                                                                                      • Instruction Fuzzy Hash: 2341D561A0DBD90FD79AEB3C88752683FE1EF46251B0981FFD489CB2B3D9185D068352
                                                                                                                                                      Function 00007FFB4B05D228 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5dcb1fd0398caba1df23a63189c03e2f514dfd54901b07830bc2a1c38fafb0dc
                                                                                                                                                      • Instruction ID: 19bcffa9f99cc057bbf8a38f7722af0f6f1600be7731caea597ecb851117522d
                                                                                                                                                      • Opcode Fuzzy Hash: 5dcb1fd0398caba1df23a63189c03e2f514dfd54901b07830bc2a1c38fafb0dc
                                                                                                                                                      • Instruction Fuzzy Hash: A7412B53A0C6994BE751FB3CE8A69F53BA0EF5222170841F7D58CCE253DC18B84B87A0
                                                                                                                                                      Function 00007FFB4B065B40 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5a31dca0f773beb416748a76765c152d1272c7b1541f8b69bd7a76d2e4a3eb9f
                                                                                                                                                      • Instruction ID: 2247a648688ca9f7d0fc36a144a56ddf9a33313df7c8f82fd941063eb1e4ba0a
                                                                                                                                                      • Opcode Fuzzy Hash: 5a31dca0f773beb416748a76765c152d1272c7b1541f8b69bd7a76d2e4a3eb9f
                                                                                                                                                      • Instruction Fuzzy Hash: 5141F370A1CE0A4FD768EA3CD4556A573D1FFA4301F04857DD58AC32A6EE29F882C780
                                                                                                                                                      Function 00007FFB4B058478 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d6b2e566737650ce99787a35cab0ef5e3b495fa9f19334bb584695bf731e1a6a
                                                                                                                                                      • Instruction ID: e781b23d3ad9fbf37e137dcb7682abd63b9fa674e5fcf6c70168588c9d63e33a
                                                                                                                                                      • Opcode Fuzzy Hash: d6b2e566737650ce99787a35cab0ef5e3b495fa9f19334bb584695bf731e1a6a
                                                                                                                                                      • Instruction Fuzzy Hash: F8317BA2B1CD550BE7A4EA3CD81D6B937D0EB94351F0545BBE44DC33A1DE1C9D424385
                                                                                                                                                      Function 00007FFB4B067728 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 76b4e8e5b69dec6eb5b152e99f083ed8347474a2bacb8a274bb21cc1ac274ae3
                                                                                                                                                      • Instruction ID: 488cfb014c61e38fb3919d1ff736836429eb5a4b37cb41f2b49bdef22d2ce0ef
                                                                                                                                                      • Opcode Fuzzy Hash: 76b4e8e5b69dec6eb5b152e99f083ed8347474a2bacb8a274bb21cc1ac274ae3
                                                                                                                                                      • Instruction Fuzzy Hash: 1841DC6061CA4A8FD729EB3CC0947B577E1EF55302F14C0BDC58AC72A2CE29B8428781
                                                                                                                                                      Function 00007FFB4B05DC5A Relevance: .1, Instructions: 132COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9d272118bab855cafda918941c5638aa2dab735aa4daa7f2003944485dd1f2aa
                                                                                                                                                      • Instruction ID: 7224659f9cf47a3d0d79ddb5eededff0980cd0257f2b80a73e42d0cae8fb0880
                                                                                                                                                      • Opcode Fuzzy Hash: 9d272118bab855cafda918941c5638aa2dab735aa4daa7f2003944485dd1f2aa
                                                                                                                                                      • Instruction Fuzzy Hash: FD41D2B061CE8A8FDB95EB3CC094E71BBE1EF59301B0485EAD08EC76A2C925F845D750
                                                                                                                                                      Function 00007FFB4B0514E1 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a6085db4a8b044bd52329909415a90f99c1b046363ace2945309bbc21e0998b4
                                                                                                                                                      • Instruction ID: 28b6856f48cc3a3caeb356e0b060069d60c79c3976f172a344c0e3db40815cb3
                                                                                                                                                      • Opcode Fuzzy Hash: a6085db4a8b044bd52329909415a90f99c1b046363ace2945309bbc21e0998b4
                                                                                                                                                      • Instruction Fuzzy Hash: 2F41E371A0D94A8FDB45EB38C455BFDBBE0EF59305F0441AAD14DC72A2CE28A845C780
                                                                                                                                                      Function 00007FFB4B064C50 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7edcf4a5975db7d9a0266dfd7ca9565b5ae73fb9dd0561b58d476570cfb78250
                                                                                                                                                      • Instruction ID: 0e4f9cf933fc41a7fe518a6c8c76740bb179b787167c922dea86ccefac5ec803
                                                                                                                                                      • Opcode Fuzzy Hash: 7edcf4a5975db7d9a0266dfd7ca9565b5ae73fb9dd0561b58d476570cfb78250
                                                                                                                                                      • Instruction Fuzzy Hash: 6131F86150DBD94FD7A6EB3C98646A43FE0EF43251B0A42EFD489CB2E3D9085C05C392
                                                                                                                                                      Function 00007FFB4B06FBEB Relevance: .1, Instructions: 124COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1c8347fa73f5f9510173357b14ace530677873f66e375804ae69d714690eb9f6
                                                                                                                                                      • Instruction ID: a94b5cd42328388247f21f6859fef588df838e6845f0d367cadfeb01cf7e1dcb
                                                                                                                                                      • Opcode Fuzzy Hash: 1c8347fa73f5f9510173357b14ace530677873f66e375804ae69d714690eb9f6
                                                                                                                                                      • Instruction Fuzzy Hash: C731F27160CF4D4BEB48EF2CD8559667BE1EFA9351F10416EE94DC3392DE21E8428781
                                                                                                                                                      Function 00007FFB4B052C98 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9f6ccfae15469326abc6dd7aeef29b8d6c5e3075d79e1b37a3d3e8d6df479050
                                                                                                                                                      • Instruction ID: 020a44916eba390a894cb84a2d22397b7b9af900d8c07a388fc643ad732fd8b8
                                                                                                                                                      • Opcode Fuzzy Hash: 9f6ccfae15469326abc6dd7aeef29b8d6c5e3075d79e1b37a3d3e8d6df479050
                                                                                                                                                      • Instruction Fuzzy Hash: EE318D71A08D294FEB98EA2CD859BED77D1FB98312F0441B6E40ED73A9DE249C018381
                                                                                                                                                      Function 00007FFB4B0548ED Relevance: .1, Instructions: 120COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
                                                                                                                                                      • Instruction ID: 258f9586466b51ce7a6e96cb68706cd67648d8009e8b1ac24860414c869f089d
                                                                                                                                                      • Opcode Fuzzy Hash: 043d923630261b4865bb208ba9139708dfaf8bb7213ac539f4963e489c3833cc
                                                                                                                                                      • Instruction Fuzzy Hash: BE316B70A1CA198BD769AE2CC184BB973E1EF98306F60817DD55EC33A5CE25B8428781
                                                                                                                                                      Function 00007FFB4B06F271 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d69f58b890832a5465209a2e3eaec09f78535af0a30acc206ff0a3451066a464
                                                                                                                                                      • Instruction ID: b04c8821af3c575988b5b82e6fae68a6ff51af4588ad0e20dcbc64a427d30e2e
                                                                                                                                                      • Opcode Fuzzy Hash: d69f58b890832a5465209a2e3eaec09f78535af0a30acc206ff0a3451066a464
                                                                                                                                                      • Instruction Fuzzy Hash: 8031C76561D9990FEB41E73C85257EEBFE0EF95305F0C81EAD188C72A2DA18984A9381
                                                                                                                                                      Function 00007FFB4B058270 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 029d23062337902db994e893ecdb2607e75d8f6881d548b09ca0ed7e7c8c90f7
                                                                                                                                                      • Instruction ID: 390c122960b70f999d0d486d04db2e0a7267774fe7414205dbaf429c9c8734f6
                                                                                                                                                      • Opcode Fuzzy Hash: 029d23062337902db994e893ecdb2607e75d8f6881d548b09ca0ed7e7c8c90f7
                                                                                                                                                      • Instruction Fuzzy Hash: 9431076060DAC81FE766FB7898569B67FE1EF4A30570884FED589C72A3C8087C078341
                                                                                                                                                      Function 00007FFB4B0597E0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ff752b50e59ead8d2ea3fe64cceca72d9884042fd0eeb58dc80ca2c597c8a63d
                                                                                                                                                      • Instruction ID: 114937e13957d55eac9b8a2d7527d417ed629d7db41ed54cfae9fb46e773fb51
                                                                                                                                                      • Opcode Fuzzy Hash: ff752b50e59ead8d2ea3fe64cceca72d9884042fd0eeb58dc80ca2c597c8a63d
                                                                                                                                                      • Instruction Fuzzy Hash: AE21D66271DD0E5FEBECF92C9465AB963C6EB98352B14407AE40DC3791DD25DC428380
                                                                                                                                                      Function 00007FFB4B053F69 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c90cd7f9016e7f3f079c55b08e7470a82ae09f03e4a9adfd6832f6b6454a8c6f
                                                                                                                                                      • Instruction ID: 81d05b7cfca7be7f2431ba42a5ad194f8c2c60bde8b308beb22db12e4080670d
                                                                                                                                                      • Opcode Fuzzy Hash: c90cd7f9016e7f3f079c55b08e7470a82ae09f03e4a9adfd6832f6b6454a8c6f
                                                                                                                                                      • Instruction Fuzzy Hash: 9031B77188D1911FD3069734AC679F6BBA49F42326B1A41E7D449CBAE3C80D6593C362
                                                                                                                                                      Function 00007FFB4B064DCD Relevance: .1, Instructions: 112COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b7bd32b2936d5b0b2e81ce10043c3edc23be11e90e515dc22421e6840e1e1eaf
                                                                                                                                                      • Instruction ID: af6e9349986276e8fde1457a566ccafbb3b13589c91530be5cce8af6a92d7a02
                                                                                                                                                      • Opcode Fuzzy Hash: b7bd32b2936d5b0b2e81ce10043c3edc23be11e90e515dc22421e6840e1e1eaf
                                                                                                                                                      • Instruction Fuzzy Hash: 0C31D551A0DBC90FD796EB3C88652683FE1EF46151B0982FFD489CB2A7D9189C068352
                                                                                                                                                      Function 00007FFB4B05109D Relevance: .1, Instructions: 109COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 616aa5d7a21ef006bafc002e564f0bedad567b0f3cddb04e0603d46b7966219a
                                                                                                                                                      • Instruction ID: e6d682d6af081649a79fc62c24e8b2752883e4846aec3689b1ca2ff8b1fc9771
                                                                                                                                                      • Opcode Fuzzy Hash: 616aa5d7a21ef006bafc002e564f0bedad567b0f3cddb04e0603d46b7966219a
                                                                                                                                                      • Instruction Fuzzy Hash: 6131EF5008F3C21FD3939BB499655823FF99D87520B0E81EBD5C4CE4A7C14E485AC323
                                                                                                                                                      Function 00007FFB4B06F3B5 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d1aa3f7c2fa01a45032d3a8a1406d6e32ef27b730fd1ba6652793f25ee6911af
                                                                                                                                                      • Instruction ID: 800f167ac75e83264a516d8c6248711de0a9b5abf7ecbe81abba606db26a0531
                                                                                                                                                      • Opcode Fuzzy Hash: d1aa3f7c2fa01a45032d3a8a1406d6e32ef27b730fd1ba6652793f25ee6911af
                                                                                                                                                      • Instruction Fuzzy Hash: FF310AA194E6C91FD752EB78586A1FABFF0DF4B201B0844FFD4C9CB1A3C81828468352
                                                                                                                                                      Function 00007FFB4B0549F2 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a2e25af52827b6ea5424130716a02996e739964147c03103326065aaf776d49d
                                                                                                                                                      • Instruction ID: d6627e9d6d7cd274a57c3a07b7c3cd1c9362917e981e15950b2a5e8d55a82b3a
                                                                                                                                                      • Opcode Fuzzy Hash: a2e25af52827b6ea5424130716a02996e739964147c03103326065aaf776d49d
                                                                                                                                                      • Instruction Fuzzy Hash: 7731D371A0CA684FDB95EB2C9859AED7BE1FF59301F0940F6E44CC72A6CE249C048381
                                                                                                                                                      Function 00007FFB4B067520 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0ab77b8d6a341a2571b2d420c49dc17fa848bb5dae352c8296a07090c46e1513
                                                                                                                                                      • Instruction ID: 7b336cecbbf81f1dc9f912012082226506fe41db8657061b9cd9a51758249ee7
                                                                                                                                                      • Opcode Fuzzy Hash: 0ab77b8d6a341a2571b2d420c49dc17fa848bb5dae352c8296a07090c46e1513
                                                                                                                                                      • Instruction Fuzzy Hash: 5231C06050D7854FD326AB38C5556B57FE1AF46301B5AC0FAC589CB2F3DE2CA84AC352
                                                                                                                                                      Function 00007FFB4B06CA31 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b2a6b36d8db464d1c6cdc7376bf0ddb6d9c52b32c2079d4851bbb15cd5e9de7d
                                                                                                                                                      • Instruction ID: 7105bdf239f429354b0a572ac99a1d4621dc0e096c494d9c77058866920b36c9
                                                                                                                                                      • Opcode Fuzzy Hash: b2a6b36d8db464d1c6cdc7376bf0ddb6d9c52b32c2079d4851bbb15cd5e9de7d
                                                                                                                                                      • Instruction Fuzzy Hash: 8F31E27190CB884FDB24EF28DC065E9BBE4EF9A311F0401AFE889D3252D660A94487C3
                                                                                                                                                      Function 00007FFB4B057DFB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 47807442627e3d2aefd066f932f4a444dbc9c7261723dd53f6989d02fcdcc8b9
                                                                                                                                                      • Instruction ID: 9848b1fdb8b443313c78289b1fc72ecd6dd3b72c4277d7c92f88243006468b25
                                                                                                                                                      • Opcode Fuzzy Hash: 47807442627e3d2aefd066f932f4a444dbc9c7261723dd53f6989d02fcdcc8b9
                                                                                                                                                      • Instruction Fuzzy Hash: A731E37190CA8D4FEB85EF28C895AF97BF0FF19346F04407AD54AD36A2CA289C45C791
                                                                                                                                                      Function 00007FFB4B066DE1 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 789260f12e18a6e89ca69e16823ba3a98d1ef66dad6f5dc6aa5c1eef652fa8b7
                                                                                                                                                      • Instruction ID: ff3547a073d449c7a159276f58816cfcef217ebcd7f84cc3d73f62182c6fa3e0
                                                                                                                                                      • Opcode Fuzzy Hash: 789260f12e18a6e89ca69e16823ba3a98d1ef66dad6f5dc6aa5c1eef652fa8b7
                                                                                                                                                      • Instruction Fuzzy Hash: 34217C70A0CA0D8FDB88EE6CD4956BC77E1FB98311F04427EE14ED33A1CE25A8418785
                                                                                                                                                      Function 00007FFB4B0611A3 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: dd0ece7dfec580e6e8ef2b12a6f136a826c69c45e72cf0eae5fc4e3b847a3866
                                                                                                                                                      • Instruction ID: 9ee3f39f8b959971f8616f310a163fe53a7d0d8fdf97ec280d5859d72473bb44
                                                                                                                                                      • Opcode Fuzzy Hash: dd0ece7dfec580e6e8ef2b12a6f136a826c69c45e72cf0eae5fc4e3b847a3866
                                                                                                                                                      • Instruction Fuzzy Hash: A031A4A1A0CA850FEB85AF7CD5657A82BD1EF99305F4550BDE58DC72E3CD189852C300
                                                                                                                                                      Function 00007FFB4B069B66 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 22da013d8feafc8d52e3f40750408e545755517af8b7c0f00866c57d8744a6bb
                                                                                                                                                      • Instruction ID: fd5167860cd21d27da30aa4b10cdaf01af3ced7b5eae9070d1ab7fcb57e0f759
                                                                                                                                                      • Opcode Fuzzy Hash: 22da013d8feafc8d52e3f40750408e545755517af8b7c0f00866c57d8744a6bb
                                                                                                                                                      • Instruction Fuzzy Hash: D63118B491C94D8FDB94EF2CC989AA87BE1FF68315F0141B9E40DD76A1DA38E845CB40
                                                                                                                                                      Function 00007FFB4B0664B2 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 87d688e08520f963d34178340cf9771cfd26530990aee266ff33cca5b6ddbdc8
                                                                                                                                                      • Instruction ID: 2bea694e9005a683ce1c8a705fc711f8748579c4f7c1d06ce44fd37f16952d39
                                                                                                                                                      • Opcode Fuzzy Hash: 87d688e08520f963d34178340cf9771cfd26530990aee266ff33cca5b6ddbdc8
                                                                                                                                                      • Instruction Fuzzy Hash: 5421D5B2B0CA094FE798EE6CE4530F977D1EF85222B54017FD24EC32A2DD16A8074685
                                                                                                                                                      Function 00007FFB4B051289 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d32594b91453ed73f38c39e1dc25fc4d1bf56168c3b3c719e09bbec835785daa
                                                                                                                                                      • Instruction ID: 95d1ac0844a69ef1c913559cc7d30e5560dacc9158fd8f580572577b04eded2d
                                                                                                                                                      • Opcode Fuzzy Hash: d32594b91453ed73f38c39e1dc25fc4d1bf56168c3b3c719e09bbec835785daa
                                                                                                                                                      • Instruction Fuzzy Hash: 2921908190FBC51FD353AB7888254657FA0AE5715171E84EBD4C4CB5B3D4186C19C352
                                                                                                                                                      Function 00007FFB4B05BE1D Relevance: .1, Instructions: 87COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a6e51ca6d06bf5f61a5848612156c5e70c5826fef85d7dd36baf61d62925ad8d
                                                                                                                                                      • Instruction ID: 090942ed3a16bdb97b2b8c12a58c911cf85c37c0b5b99e2fbcda132e5148c649
                                                                                                                                                      • Opcode Fuzzy Hash: a6e51ca6d06bf5f61a5848612156c5e70c5826fef85d7dd36baf61d62925ad8d
                                                                                                                                                      • Instruction Fuzzy Hash: 0D116621A0CA490FE749EF2C8856A327FD0EF46211B0841FAD14DC72A3E92AF8028340
                                                                                                                                                      Function 00007FFB4B05092D Relevance: .1, Instructions: 85COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 08126550b98dc0ad752ff0e1f520149946ab040fceff4187829a2a7c563eca68
                                                                                                                                                      • Instruction ID: b99b574e5c7b2044f2ba6a3411715cf209667dc2defa4e63a6e2a0346393a345
                                                                                                                                                      • Opcode Fuzzy Hash: 08126550b98dc0ad752ff0e1f520149946ab040fceff4187829a2a7c563eca68
                                                                                                                                                      • Instruction Fuzzy Hash: 0B21C99050EAD61FD746AFB848276BDBFE09F4A201B4885EEC5C98B6A2C9142C06D345
                                                                                                                                                      Function 00007FFB4B06EE27 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2ad265c4c7a6b40377ea50272971525fc9c4fc0d71e1d3aa8329b21d28f759d3
                                                                                                                                                      • Instruction ID: 87b196957f86255fc2d1e0402d49ed30ff8f0b3af8234b9be68cec15df252a15
                                                                                                                                                      • Opcode Fuzzy Hash: 2ad265c4c7a6b40377ea50272971525fc9c4fc0d71e1d3aa8329b21d28f759d3
                                                                                                                                                      • Instruction Fuzzy Hash: 9321F86060D68A0FD756EF7C84566BE7FE1DF89210F0844FED589C7293CD14A84A8381
                                                                                                                                                      Function 00007FFB4B05DEE1 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f47ba23492bbea0b5ec60d9038a62b7c6f61f5a13507168649384a34a52b28ee
                                                                                                                                                      • Instruction ID: b7883670662d4eef1c10082a8cb3e42c6426758ff9a875aa511e5e6f73cf6602
                                                                                                                                                      • Opcode Fuzzy Hash: f47ba23492bbea0b5ec60d9038a62b7c6f61f5a13507168649384a34a52b28ee
                                                                                                                                                      • Instruction Fuzzy Hash: 9211C4A2B0DE890FE395AD7D6D959642AC0EF9920271942FBE548C7BF3D9449C05C382
                                                                                                                                                      Function 00007FFB4B06EF99 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3668ac6d1c51a11aa37fac79b4536cb937c14f467ae47cf5c43009f7109f50fa
                                                                                                                                                      • Instruction ID: 17c108052143889d2fc655fa8e134b80643a72d40ad7cc3fd22a3d97d394c303
                                                                                                                                                      • Opcode Fuzzy Hash: 3668ac6d1c51a11aa37fac79b4536cb937c14f467ae47cf5c43009f7109f50fa
                                                                                                                                                      • Instruction Fuzzy Hash: 051126B2D1CA8C0FEB80FF7C98045AC7BE0FBC8301F0401AAE14CC32A2DA149C458382
                                                                                                                                                      Function 00007FFB4B050875 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0cfec6eea91c9443f14ec7dbb7e771eff7567dceb02614affe209218799b5ce9
                                                                                                                                                      • Instruction ID: 5f24e80a16d41ce74f37c4a14953b929e60138c6196443b80b75fd3bb7606a75
                                                                                                                                                      • Opcode Fuzzy Hash: 0cfec6eea91c9443f14ec7dbb7e771eff7567dceb02614affe209218799b5ce9
                                                                                                                                                      • Instruction Fuzzy Hash: 0521D8A190EBC91FD756DF7848266BD7FE0DF46201F0845EBC089C72A3D91428098381
                                                                                                                                                      Function 00007FFB4B05DF00 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: be4046a52b50d949596042531d50668b09250f81ab1f085ec378d0867e9b296a
                                                                                                                                                      • Instruction ID: 770c805a494800b514e85aba25921d5033cb11fd218e91716ee5f6f4d8793a17
                                                                                                                                                      • Opcode Fuzzy Hash: be4046a52b50d949596042531d50668b09250f81ab1f085ec378d0867e9b296a
                                                                                                                                                      • Instruction Fuzzy Hash: 0E112562B0ED490FE2D4AC6D7C959B52AC0DB9821271442BBEA0CC37B6DC458C41C382
                                                                                                                                                      Function 00007FFB4B05BF7D Relevance: .1, Instructions: 76COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5920bd3f9bfeefc542e03c70474f6888e9f48ee272a660160c231b1da1a6492d
                                                                                                                                                      • Instruction ID: 5b446d249abb870a35260b25aa702ce009441833ea936b2e6e6cbcab94bbfa6c
                                                                                                                                                      • Opcode Fuzzy Hash: 5920bd3f9bfeefc542e03c70474f6888e9f48ee272a660160c231b1da1a6492d
                                                                                                                                                      • Instruction Fuzzy Hash: 1411266150EBC41FE762F7389D56AB13FE0EF4621570A40FBD488CB5A3D8096C868361
                                                                                                                                                      Function 00007FFB4B06EFD1 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4cc4267905b247bc9e62a1dec1a10220e512ee895e6a08abfc56c55d9f314bfc
                                                                                                                                                      • Instruction ID: b9de0de1bcb8c359db3eb87f0de3742055dcb9c1a9f97e80176058fc385de39d
                                                                                                                                                      • Opcode Fuzzy Hash: 4cc4267905b247bc9e62a1dec1a10220e512ee895e6a08abfc56c55d9f314bfc
                                                                                                                                                      • Instruction Fuzzy Hash: 161129B1D1CA881FE780FF389C555E97FE0EB85312B0442ABE008C76A2D9185D468392
                                                                                                                                                      Function 00007FFB4B060010 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9d2578fa177945b7293194ba4891c61cfd6c5e93c0413983c3cd3e2b6093dd36
                                                                                                                                                      • Instruction ID: 890799b6690ec4522c3ec2876ddd139969a6f482983b716d21947623e38db554
                                                                                                                                                      • Opcode Fuzzy Hash: 9d2578fa177945b7293194ba4891c61cfd6c5e93c0413983c3cd3e2b6093dd36
                                                                                                                                                      • Instruction Fuzzy Hash: 491148A1F1DC860FFAA5A73CD4A66382BC2EF95351F0881BAD48DC3296DC08EC4247C0
                                                                                                                                                      Function 00007FFB4B06F1E0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c39c69c13b07bce1a96d7e3b3a230c4611c589c834a10733b8d3f4036d336825
                                                                                                                                                      • Instruction ID: 5d9525c48f9854917b0df7cdcdc2424c7d950f6ebb8b1e85d0d23de9af528cac
                                                                                                                                                      • Opcode Fuzzy Hash: c39c69c13b07bce1a96d7e3b3a230c4611c589c834a10733b8d3f4036d336825
                                                                                                                                                      • Instruction Fuzzy Hash: A411D69452E6DA1FDA0BABB858636B67FD08F0B114F4C88EDCA85C71B3D809784F9205
                                                                                                                                                      Function 00007FFB4B050480 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f4fe970f86bf31e8bcf9c55308edb49a5ce1d2e54aded32caf78d078c69af3ac
                                                                                                                                                      • Instruction ID: c8e11d410c05b47bfb2a3bee21e8c3467f60f5be783ec314c136d73ebfec8bd9
                                                                                                                                                      • Opcode Fuzzy Hash: f4fe970f86bf31e8bcf9c55308edb49a5ce1d2e54aded32caf78d078c69af3ac
                                                                                                                                                      • Instruction Fuzzy Hash: 3301B147A0E1A949EA12B27CF4A15F93B54CF46239B0942F7E98D890A3DC09B84E41E9
                                                                                                                                                      Function 00007FFB4B06F0F2 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 52fdf800baca4fe5d2c1babadd64e7087c230201f331a5a1b96e254ea285b057
                                                                                                                                                      • Instruction ID: 4a486c6d796a2f5e8cec125e09ff8a75b167959868d6c946068296fd9a7141bb
                                                                                                                                                      • Opcode Fuzzy Hash: 52fdf800baca4fe5d2c1babadd64e7087c230201f331a5a1b96e254ea285b057
                                                                                                                                                      • Instruction Fuzzy Hash: 26118690A0E9C51FE746F7B884675BA7FD09F4A241B0C84FDC589CB6B3CD18680A9301
                                                                                                                                                      Function 00007FFB4B054ED0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 397039bc98ff3464711f0aceec61b46acb5cfff61e9386eb93df5d63c85a4cff
                                                                                                                                                      • Instruction ID: 2baa05d1ef7120c419898f3fa7f16cd553b694b55060fe8bf0e90728015a21dd
                                                                                                                                                      • Opcode Fuzzy Hash: 397039bc98ff3464711f0aceec61b46acb5cfff61e9386eb93df5d63c85a4cff
                                                                                                                                                      • Instruction Fuzzy Hash: AF01A261B1C90E4FE7A4EA2CE804B7677C5EBD8312F40017AE54CC3B66DE24E8014381
                                                                                                                                                      Function 00007FFB4B06ABB1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: fe908bb2e018bcaac5ab9d9a1ba554084bf68b59eef577bab34ea4cccea1e2cc
                                                                                                                                                      • Instruction ID: 5299a2e2d5e0c6d5093a4932d36c68f27acb8d8a6c58f7790de9cfc8bd482639
                                                                                                                                                      • Opcode Fuzzy Hash: fe908bb2e018bcaac5ab9d9a1ba554084bf68b59eef577bab34ea4cccea1e2cc
                                                                                                                                                      • Instruction Fuzzy Hash: F1F0C882A0DE8A1FE3A2A57C99962B45BC1EB9816270881B7D18CC62B3DC485C974392
                                                                                                                                                      Function 00007FFB4B06F4D9 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1d8c65a0f8ae5a8f2e2181786d986fc9b88b58e050310c5b337477592c1231a2
                                                                                                                                                      • Instruction ID: 5920cc713bfbad9d90d9d4094cd4c9e5451f84fef0045d28528977fe260377e9
                                                                                                                                                      • Opcode Fuzzy Hash: 1d8c65a0f8ae5a8f2e2181786d986fc9b88b58e050310c5b337477592c1231a2
                                                                                                                                                      • Instruction Fuzzy Hash: F201247190E6820FE309A738E8416E17BD1EF86320F1981FAE14CCB6A3D85D58428392
                                                                                                                                                      Function 00007FFB4B05D79D Relevance: .1, Instructions: 52COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5654f2cfb3d0020e118da6425184cd89c5132d40615c41802f76d128d8b8e916
                                                                                                                                                      • Instruction ID: 672b3b1e07e613cc37804a9ec9fbee3a578f082a40ce88540c9bb24cc5281ce6
                                                                                                                                                      • Opcode Fuzzy Hash: 5654f2cfb3d0020e118da6425184cd89c5132d40615c41802f76d128d8b8e916
                                                                                                                                                      • Instruction Fuzzy Hash: 90012691A0DECE0BE35AFB389451AB57BE1EF96212F0441FBC4C9C2692ED5868468341
                                                                                                                                                      Function 00007FFB4B059D2B Relevance: .1, Instructions: 52COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b280d9ddc3c7eb898d778f352c1a5ceb132abac94899cc18d968fcf9b20565bf
                                                                                                                                                      • Instruction ID: 136e1d314f6a8f29d42533ea8fe529aed7ae8e4ca17f90694b8ea23a4295f0ea
                                                                                                                                                      • Opcode Fuzzy Hash: b280d9ddc3c7eb898d778f352c1a5ceb132abac94899cc18d968fcf9b20565bf
                                                                                                                                                      • Instruction Fuzzy Hash: 18112EB1D186598EEB99EF28C8957ECB3A1FF64301F0041F9E44DD26A2DE386D81CB54
                                                                                                                                                      Function 00007FFB4B055D33 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 91d94d74131954cc1940cbb5f3c0c333ae9fb5ca5dc0fbbb6b9d6cd16e4917d6
                                                                                                                                                      • Instruction ID: 7c0738befea6f74b9f31732abf930dc77b57efa4f2e664ffe15ccc8065bd802d
                                                                                                                                                      • Opcode Fuzzy Hash: 91d94d74131954cc1940cbb5f3c0c333ae9fb5ca5dc0fbbb6b9d6cd16e4917d6
                                                                                                                                                      • Instruction Fuzzy Hash: 4AF0FC92B1DE0E0FE7D9FA7CA51977861C1DBC8272B40507BD90DC2657EC68DC460294
                                                                                                                                                      Function 00007FFB4B055A80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a58a1a315bcee082bed2793599a0bae985deb31328cca682d010ff16346bccb9
                                                                                                                                                      • Instruction ID: 98f4b28061baa12ea428d16229ff3b0551af131f7fe20468fecc57737ad5f457
                                                                                                                                                      • Opcode Fuzzy Hash: a58a1a315bcee082bed2793599a0bae985deb31328cca682d010ff16346bccb9
                                                                                                                                                      • Instruction Fuzzy Hash: BF01D661E19D4B4FDB99FB3CD091ABA73E2FFA830074445BAD409C3655DD28E8428381
                                                                                                                                                      Function 00007FFB4B054D51 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 5851fba4bf47a0434b8ff96ce54d7635ac71c33153b84bf4800a4a2cc43657e5
                                                                                                                                                      • Instruction ID: 0650f7c399b030d44b10ee8b033f8b85954e7331b02a9964eeb68f76557372e6
                                                                                                                                                      • Opcode Fuzzy Hash: 5851fba4bf47a0434b8ff96ce54d7635ac71c33153b84bf4800a4a2cc43657e5
                                                                                                                                                      • Instruction Fuzzy Hash: 78F028B180D6DD5FE312EF78C8598F97FF0EF46200B0881E6D589C71A3DD2425098351
                                                                                                                                                      Function 00007FFB4B054B4D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 551dd49b2fdab93a9b2cc5ee5227ddc197e26b5aaa154ce6ce3495e9b4e815c5
                                                                                                                                                      • Instruction ID: 9bb1f5fa2b60b553ac0d9885e218ee3b9f7e1ff12cd6dc439e7ed4686af3eab4
                                                                                                                                                      • Opcode Fuzzy Hash: 551dd49b2fdab93a9b2cc5ee5227ddc197e26b5aaa154ce6ce3495e9b4e815c5
                                                                                                                                                      • Instruction Fuzzy Hash: 6301F96080FADA1FE353B73C58206E96FA08E8312674D41F7D1C8CB5ABD80C5855C356
                                                                                                                                                      Function 00007FFB4B054CF5 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 64c690c2792f93b51a350d9ff4104b94f0928962970efd366f249fae42698f68
                                                                                                                                                      • Instruction ID: 54d9f4df59a903361fc6e93f1583848d4cefe508fe9933050da7043753600c08
                                                                                                                                                      • Opcode Fuzzy Hash: 64c690c2792f93b51a350d9ff4104b94f0928962970efd366f249fae42698f68
                                                                                                                                                      • Instruction Fuzzy Hash: 3CF05992A0EDAE0FE396E23C29241F81BC1DBC516134D02F7C448C769EDC4C49420391
                                                                                                                                                      Function 00007FFB4B057D50 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
                                                                                                                                                      • Instruction ID: 8462ea9b82aec57a0d7237d2a48226ec82cbe7ffd48d008178373efa5be7dd09
                                                                                                                                                      • Opcode Fuzzy Hash: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
                                                                                                                                                      • Instruction Fuzzy Hash: BEF0E97160C80B1EE678A52DD56977166D4DF49372F11707EE54EC23A2EC485C528240
                                                                                                                                                      Function 00007FFB4B055BE9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: aaa8b5aeded8ccd5930ae7f243596168d0f9acef8cb3834e24402360da3633a8
                                                                                                                                                      • Instruction ID: 24693abfed9e743d7296f134fdbea76b72653f520647f6aae8b5685ec2207b5a
                                                                                                                                                      • Opcode Fuzzy Hash: aaa8b5aeded8ccd5930ae7f243596168d0f9acef8cb3834e24402360da3633a8
                                                                                                                                                      • Instruction Fuzzy Hash: B301AD70819BCE8FDB46EF3888581EA7FF0FF56200B8004ABD859C62A2DA7454158340
                                                                                                                                                      Function 00007FFB4B066413 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
                                                                                                                                                      • Instruction ID: d069baba278dcb9a81538fd644ee28130d5d73264517c6d8d84f5dbfe984c427
                                                                                                                                                      • Opcode Fuzzy Hash: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
                                                                                                                                                      • Instruction Fuzzy Hash: 77F0FE71A2CB488B9F04AE4CBC434ED77E0FB99B61F50116FF94A43251D621B8928AC7
                                                                                                                                                      Function 00007FFB4B056FF2 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 67d9b812491189ae56576e30669b50ebf80774a8fbfacf4e700c44f31c462f9c
                                                                                                                                                      • Instruction ID: 6fe6b77100b036282e4d3768832b4ff9960b6bf09395de2947eb0deea2e413c4
                                                                                                                                                      • Opcode Fuzzy Hash: 67d9b812491189ae56576e30669b50ebf80774a8fbfacf4e700c44f31c462f9c
                                                                                                                                                      • Instruction Fuzzy Hash: 7DF0F060B18D0B8FDA89FA2CD4909B9B3D1FFA43007505475D44AC3685DE28E8478740
                                                                                                                                                      Function 00007FFB4B06BE9B Relevance: .0, Instructions: 40COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c2a62c740044520320734f3500eb6cf1cfd833014c15b355458bf7c0247a00de
                                                                                                                                                      • Instruction ID: d9975b37ffcc706a11e6a4cf12005f6a8686bfd5c8337034bdc73360c5c4edc1
                                                                                                                                                      • Opcode Fuzzy Hash: c2a62c740044520320734f3500eb6cf1cfd833014c15b355458bf7c0247a00de
                                                                                                                                                      • Instruction Fuzzy Hash: C6F037B271CA1D4FA258BE1C65432FD73C2DB89921710817FD58FC7656DD1568074391
                                                                                                                                                      Function 00007FFB4B058AE8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 8b8351ed57c9de3afab8cf69acb21667c85da751d9b5d531cd81c8c2e3faf111
                                                                                                                                                      • Instruction ID: 7db8ed529ecc57b27287d7dc5c8c48033cb1bd03a484e880278cb9285d8aec66
                                                                                                                                                      • Opcode Fuzzy Hash: 8b8351ed57c9de3afab8cf69acb21667c85da751d9b5d531cd81c8c2e3faf111
                                                                                                                                                      • Instruction Fuzzy Hash: 5BF02761A1CD0D0AD6A8F63CA445EB922D1DB84211F40427BD40EC2695EC58A8428381
                                                                                                                                                      Function 00007FFB4B05B902 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 03be988db4db3968c7d979a188b21605016488cc96d04451639662dbcd1267d1
                                                                                                                                                      • Instruction ID: 196518f9af297be871a4319c965a93fb916174cd413ba87a2bbb60b74defdf82
                                                                                                                                                      • Opcode Fuzzy Hash: 03be988db4db3968c7d979a188b21605016488cc96d04451639662dbcd1267d1
                                                                                                                                                      • Instruction Fuzzy Hash: EDF0C26040DADA0FD316EF38D558AA0BBE0AF46311B4D42F7D588CB3A3DE1CB9858791
                                                                                                                                                      Function 00007FFB4B05DF92 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 2839aca00a26008e544176116e62d76546a910a4760ea8b5cface538739a1b16
                                                                                                                                                      • Instruction ID: 88fdfe6cf8731d673449331cba085f4d192f5d34903ddd215547e124a47aaf30
                                                                                                                                                      • Opcode Fuzzy Hash: 2839aca00a26008e544176116e62d76546a910a4760ea8b5cface538739a1b16
                                                                                                                                                      • Instruction Fuzzy Hash: B4F0F08040E7C41FEB07ABB8492AA627FE19F5B111B4DC6EBC1C8CF1A3C51C500AC312
                                                                                                                                                      Function 00007FFB4B0508DD Relevance: .0, Instructions: 36COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 82b6f6b066145ead2fd49552f3a2e983b21ccc9a35146c635b47bfed098bde69
                                                                                                                                                      • Instruction ID: 1acfac15b8db11ed585a437049dc1c51f67ce39716e8a83cc0d2c7db5e25a326
                                                                                                                                                      • Opcode Fuzzy Hash: 82b6f6b066145ead2fd49552f3a2e983b21ccc9a35146c635b47bfed098bde69
                                                                                                                                                      • Instruction Fuzzy Hash: 52F0E2E0D0EA891FE648EFB8442B5BDBFE0CF59102B4881EFC08983762D80828064780
                                                                                                                                                      Function 00007FFB4B0551FE Relevance: .0, Instructions: 35COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: bb764b9cddfaba814d272c4d884027b02538e7507d19d5ab47b25a09b19dffd5
                                                                                                                                                      • Instruction ID: b83b6691661adbf3765e599d0121c54dbe55daf4fa84effed52a2b7daf9f3e7a
                                                                                                                                                      • Opcode Fuzzy Hash: bb764b9cddfaba814d272c4d884027b02538e7507d19d5ab47b25a09b19dffd5
                                                                                                                                                      • Instruction Fuzzy Hash: 1FF05942A0DDCB0BE349EA38F8819F9B781EF5120170484BDC00AC35BACD28E98AC740
                                                                                                                                                      Function 00007FFB4B0504C0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 64feb874c81d1b71611193e5a721fab15de36f6d5f248bac094060858df7eca2
                                                                                                                                                      • Instruction ID: 109bc876c67a82c24cc7baa85b7e2a38bab3a14720711cd0a5aaae3de2e3101f
                                                                                                                                                      • Opcode Fuzzy Hash: 64feb874c81d1b71611193e5a721fab15de36f6d5f248bac094060858df7eca2
                                                                                                                                                      • Instruction Fuzzy Hash: 48E06802A0F46905FA25723CF0603F93740CF06329F0802F6E88CC51E3EC4E6C4A02D9
                                                                                                                                                      Function 00007FFB4B0592C5 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 072e3fc894b8097254b24eb3d9f700d1a2d028ecd84510954fc2d613211c7bb4
                                                                                                                                                      • Instruction ID: 9fced90cb70fde9aac52c0b3157ce6f1f95f520e7785c776268181405bc21712
                                                                                                                                                      • Opcode Fuzzy Hash: 072e3fc894b8097254b24eb3d9f700d1a2d028ecd84510954fc2d613211c7bb4
                                                                                                                                                      • Instruction Fuzzy Hash: AAE02BE280D3C10BF751AA35C9865A93FC0BF65211F4886FAC688CA1E3E62C95454242
                                                                                                                                                      Function 00007FFB4B051614 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 899e8cafb233609da618e190fc0b49d775ee6596fc5227135379e21696f85d97
                                                                                                                                                      • Instruction ID: 9db808736192de75d1a7a6c4087ac1abbf89f753fe66a1f6e434ae54a30259a1
                                                                                                                                                      • Opcode Fuzzy Hash: 899e8cafb233609da618e190fc0b49d775ee6596fc5227135379e21696f85d97
                                                                                                                                                      • Instruction Fuzzy Hash: C7E07D3250CE4C0FDB40EE98EC018D67B90FFC530CF05009AE55CC3191D2219515C391
                                                                                                                                                      Function 00007FFB4B065381 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                                                      • Instruction ID: 54351cb9d81beb1cf330e922d7325194861d63cd07cd0d85b2042ddb15ebf7d6
                                                                                                                                                      • Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                                                      • Instruction Fuzzy Hash: 66E0D83260C4194FE718FF18D5915F83392EB91322F10C67EC606C63E4DD5CE4414340
                                                                                                                                                      Function 00007FFB4B0545A0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d5c99f7ccbfaa5801a394d5a69c642ed4f4d1e0bee92167989123637b93da74b
                                                                                                                                                      • Instruction ID: e3abd044b52ccf3e9b3111a4e2e6cd60bf32712d1dc357177d9b17b6bf2a02a3
                                                                                                                                                      • Opcode Fuzzy Hash: d5c99f7ccbfaa5801a394d5a69c642ed4f4d1e0bee92167989123637b93da74b
                                                                                                                                                      • Instruction Fuzzy Hash: FBE08661A0DC294FD7B8EE2CD54466837D1EF0974170540EED08ECB2E5C5105C0483C1
                                                                                                                                                      Function 00007FFB4B0504C8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b7b4563ffd3540087dcf7e8f4b34eec21ffd2ebe1097a4dc962dc159e58d6270
                                                                                                                                                      • Instruction ID: b75328cf5a5bbf77176a3094a946cfa520e83ccee69f4315d8b9151e933aed52
                                                                                                                                                      • Opcode Fuzzy Hash: b7b4563ffd3540087dcf7e8f4b34eec21ffd2ebe1097a4dc962dc159e58d6270
                                                                                                                                                      • Instruction Fuzzy Hash: 28E0865295E46505FA65727CF1613F936808F0A324F4440B6E94D951D7EC4D7C8601D9
                                                                                                                                                      Function 00007FFB4B06FD40 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 731fda58ae8e5e9d66cb15e9588648989991a95970a5acccaf0fbbbecb708ba3
                                                                                                                                                      • Instruction ID: 17706733cfad4ce467380128dd00de9c118324303924b16140e69721deea7d72
                                                                                                                                                      • Opcode Fuzzy Hash: 731fda58ae8e5e9d66cb15e9588648989991a95970a5acccaf0fbbbecb708ba3
                                                                                                                                                      • Instruction Fuzzy Hash: EEE092E041E3D00EE7066B3488655947FE0AF53304F8905EED5C9CF1E3C56C5149C342
                                                                                                                                                      Function 00007FFB4B054260 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                                                      • Instruction ID: e62c3411dc9901df7e4622b6f807be04388a4f43ee484fab26e88d0005cfa320
                                                                                                                                                      • Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                                                      • Instruction Fuzzy Hash: 3BD05E71E1EC3E16A2B4F63D7915BED1085DBC8622BCA4372E94CC2B9DDC08DC8102C0
                                                                                                                                                      Function 00007FFB4B06F189 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 73598bf18405fb139a0f4865301147b5d7534aa2a9a079fffdbaf01bb10a1fcd
                                                                                                                                                      • Instruction ID: b9d2858f8013613293ec1faf07473f4846b09e76f7f96d3c468d4ab28de2cdbe
                                                                                                                                                      • Opcode Fuzzy Hash: 73598bf18405fb139a0f4865301147b5d7534aa2a9a079fffdbaf01bb10a1fcd
                                                                                                                                                      • Instruction Fuzzy Hash: 10E0685190FBD40FF7A6633C85652A03FA0CF06200F0900EFD548CB2E3E88D9C494392
                                                                                                                                                      Function 00007FFB4B06BCD8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c8734921aa658651c03ac49de6a66fb712db91a216b8217c9a9b477b1678ce94
                                                                                                                                                      • Instruction ID: be3143db3b30ef7988dc19acb32ab1abaadb76ae73e45364151efae2797b57bb
                                                                                                                                                      • Opcode Fuzzy Hash: c8734921aa658651c03ac49de6a66fb712db91a216b8217c9a9b477b1678ce94
                                                                                                                                                      • Instruction Fuzzy Hash: C4E0D8C590DAC60EEB45AE3D4D656B41E81AF52211F8882BDC648CB2B3FC08DD048241
                                                                                                                                                      Function 00007FFB4B058150 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 210c29529063e8e9bb65ff50572a280af3b79b150bd053c3e9ea9e85e7b13d45
                                                                                                                                                      • Instruction ID: 5c52345efd1610612d8013ab3aa7d870f72af4debe5720b8b852b32f5c10bca1
                                                                                                                                                      • Opcode Fuzzy Hash: 210c29529063e8e9bb65ff50572a280af3b79b150bd053c3e9ea9e85e7b13d45
                                                                                                                                                      • Instruction Fuzzy Hash: 94E0C225A0DE4A0BEA9CBD398C9245035D1EBA8204BA440A8C849C22A2F81AC882C345
                                                                                                                                                      Function 00007FFB4B0559D0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                                                      • Instruction ID: 613f707d6d956ec50899323e6fc3b3d91cb7d4212769ec25ec30b2e90bf306ab
                                                                                                                                                      • Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                                                      • Instruction Fuzzy Hash: A5E0C27081CB4647E704FE328D4947A71D1BBD8242F848A36DD8CC02A0FB3CC3C58242
                                                                                                                                                      Function 00007FFB4B0559E0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                                                      • Instruction ID: 6a6742066e8ddd91e35470236917c437c417e19265e86552adc7f6817f607072
                                                                                                                                                      • Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                                                      • Instruction Fuzzy Hash: 58D02B7082CD1906EB60FA389208AF56BC0CB44351F040A37EC0ED23B0DC48598142C5
                                                                                                                                                      Function 00007FFB4B05EE20 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: bc5548ed846afcb4b2d297f06edd44264d1a044f05f6aeb505d27f8d4bccded1
                                                                                                                                                      • Instruction ID: 79705e3accc33b6924515b7d9c37773a54b9d31200f85382fbd4ad5903c00b4c
                                                                                                                                                      • Opcode Fuzzy Hash: bc5548ed846afcb4b2d297f06edd44264d1a044f05f6aeb505d27f8d4bccded1
                                                                                                                                                      • Instruction Fuzzy Hash: 8DE0EC5450FAD91FCE42FBBC85A74997FA05E4B64474CCCDAD9898F1B3D009280F9302
                                                                                                                                                      Function 00007FFB4B0504D8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cc36ccc14352069826d4a5a5027cbeea1178365a7aa7eebb3d0ef51d3018f09e
                                                                                                                                                      • Instruction ID: 2ed16219ed8d1dc310f298179668b0ee435d0d2b3e109477da3e6bd64cb493e8
                                                                                                                                                      • Opcode Fuzzy Hash: cc36ccc14352069826d4a5a5027cbeea1178365a7aa7eebb3d0ef51d3018f09e
                                                                                                                                                      • Instruction Fuzzy Hash: CED0A760A5E82905FE68327CE1013F92080CF48310F4010BAE90DD26D6EC8D6C8202C5
                                                                                                                                                      Function 00007FFB4B06B81B Relevance: .0, Instructions: 17COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: bdac09f9d5d4f102c951aeb0f1512069eed4490a8a4e5742f9c879f18db8f37c
                                                                                                                                                      • Instruction ID: bc3a1afe171a71827bb8e85ff9f02b95bc181d429d0b849df87132adf49d7c1e
                                                                                                                                                      • Opcode Fuzzy Hash: bdac09f9d5d4f102c951aeb0f1512069eed4490a8a4e5742f9c879f18db8f37c
                                                                                                                                                      • Instruction Fuzzy Hash: 96D0A711B15E05478565A67CF4110AA72D1EB952307400776D41AC32CDEE2CE4474381
                                                                                                                                                      Function 00007FFB4B053B33 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: afeea2975f040d2bc9198d5b994c02f8e7db9a9003eebafad9bf102a481b98dc
                                                                                                                                                      • Instruction ID: 11c3cb0f95112773fb2f1f8fb257e51ac618be2e30112b117d747af938e4c470
                                                                                                                                                      • Opcode Fuzzy Hash: afeea2975f040d2bc9198d5b994c02f8e7db9a9003eebafad9bf102a481b98dc
                                                                                                                                                      • Instruction Fuzzy Hash: 73D05B7190894E4FDF84EE6CC4619ADBBB1EB99311F5042559108D36D2D62458418740
                                                                                                                                                      Function 00007FFB4B053B59 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                      • Instruction ID: 5f1119d94fb5d56e1537aa3b83bb342229c554220b7b69dad74ce3ecfefa170e
                                                                                                                                                      • Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                      • Instruction Fuzzy Hash: 2EC01232A0880C8E9F80EA98A001AECB7A0EB88222F441032D20DE2210CA2014504790
                                                                                                                                                      Function 00007FFB4B05EC8E Relevance: .0, Instructions: 7COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: a4485169b5a3aafd4e767d3e7c96ad765e88ba5447f5b14ed5272cb33e9b6835
                                                                                                                                                      • Instruction ID: 558f0b22c8ac2eadcf0bdaa9c4cfe0571917b8e3a30017b2587a932ac878f508
                                                                                                                                                      • Opcode Fuzzy Hash: a4485169b5a3aafd4e767d3e7c96ad765e88ba5447f5b14ed5272cb33e9b6835
                                                                                                                                                      • Instruction Fuzzy Hash: 80A0228080AA0208AC0C28328B02CFC2280CA002E8FC800E0AC88CE083E80C23EE0320

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 00007FFB4B0585FA Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: L_^$L_^$L_^#$L_^$
                                                                                                                                                      • API String ID: 0-699172779
                                                                                                                                                      • Opcode ID: ba803a028d102d33b3608447d1213bc12a03ac651a70181f4c414d3924c583f6
                                                                                                                                                      • Instruction ID: 85b2c1fc01208f9e307cac2de87eabf13313266af6668755431faa8f881433b0
                                                                                                                                                      • Opcode Fuzzy Hash: ba803a028d102d33b3608447d1213bc12a03ac651a70181f4c414d3924c583f6
                                                                                                                                                      • Instruction Fuzzy Hash: 3D3124F3D1C7524ED337F969E4044ACB790AF11326B099DF6CB6D462A36E2478044AD6
                                                                                                                                                      Function 00007FFB4B058BFA Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: L_^$L_^$L_^$L_^
                                                                                                                                                      • API String ID: 0-2357752022
                                                                                                                                                      • Opcode ID: 8f12bc0a1fdd6ba415c0dd9cec918f808621182adcbee7a629f17d2a878242db
                                                                                                                                                      • Instruction ID: 097144d5922c2b8e79c6dcda6abd1469b8630595763031091569bc270f09b185
                                                                                                                                                      • Opcode Fuzzy Hash: 8f12bc0a1fdd6ba415c0dd9cec918f808621182adcbee7a629f17d2a878242db
                                                                                                                                                      • Instruction Fuzzy Hash: 0B21C5F39096414FE3569F2ECCDA8543BE0FF2025934E45F5C6984B2A3FE29740A8A41
                                                                                                                                                      Function 00007FFB4B058BF8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000003.00000002.1607056648.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_3_2_7ffb4b050000_Bootstrapper.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: L_^$L_^$L_^$L_^
                                                                                                                                                      • API String ID: 0-2357752022
                                                                                                                                                      • Opcode ID: 40d8c19c22e2b23e1338e9c77f0c3017d14639e7b09bc27df17363e39b50883e
                                                                                                                                                      • Instruction ID: 25613e58bd6bdd6448007db792b9369a877957b52a9abd62cedb223dab51ed0f
                                                                                                                                                      • Opcode Fuzzy Hash: 40d8c19c22e2b23e1338e9c77f0c3017d14639e7b09bc27df17363e39b50883e
                                                                                                                                                      • Instruction Fuzzy Hash: 9321B9F39096414FE3569F2ECCDD8543BE0FF1135834E45F5C6994B2A3EE29740A8A45