Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kwlYObMOSn.exe

Overview

General Information

Sample name:kwlYObMOSn.exe
renamed because original name is a hash value
Original sample name:3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e.exe
Analysis ID:1561585
MD5:f28a1fb54a5c3b2b4e4184e3dff4f50a
SHA1:180878512f7cd7c75c87fff174203228de688d34
SHA256:3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kwlYObMOSn.exe (PID: 4080 cmdline: "C:\Users\user\Desktop\kwlYObMOSn.exe" MD5: F28A1FB54A5C3B2B4E4184E3DFF4F50A)
    • BootstrapperV1.23.exe (PID: 2860 cmdline: "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe" MD5: 02C70D9D6696950C198DB93B7F6A835E)
      • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2604 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 5556 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • WerFault.exe (PID: 1848 cmdline: C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • XClient.exe (PID: 5428 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: E82A4E80B783AB902E649D21DCD0F3D5)
      • schtasks.exe (PID: 1896 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Teams.exe (PID: 6172 cmdline: C:\Users\user\AppData\Roaming\Teams.exe MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • Teams.exe (PID: 1892 cmdline: "C:\Users\user\AppData\Roaming\Teams.exe" MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • Teams.exe (PID: 4196 cmdline: "C:\Users\user\AppData\Roaming\Teams.exe" MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • Teams.exe (PID: 6112 cmdline: C:\Users\user\AppData\Roaming\Teams.exe MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • Teams.exe (PID: 5168 cmdline: C:\Users\user\AppData\Roaming\Teams.exe MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • Teams.exe (PID: 5988 cmdline: C:\Users\user\AppData\Roaming\Teams.exe MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • Teams.exe (PID: 3288 cmdline: C:\Users\user\AppData\Roaming\Teams.exe MD5: E82A4E80B783AB902E649D21DCD0F3D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["Cactus-33152.portmap.host"], "Port": 33152, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe77a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xe817:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xe92c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xe0f7:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\Teams.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Teams.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xe77a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xe817:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xe92c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xe0f7:$cnc4: POST / HTTP/1.1

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe57a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xe617:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xe72c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xdef7:$cnc4: POST / HTTP/1.1
          00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x324b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x42ef2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x3254f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x42f8f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x32664:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x430a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x31e2f:$cnc4: POST / HTTP/1.1
            • 0x4286f:$cnc4: POST / HTTP/1.1
            Process Memory Space: kwlYObMOSn.exe PID: 4080JoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.0.XClient.exe.f20000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                4.0.XClient.exe.f20000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xe77a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xe817:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xe92c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xe0f7:$cnc4: POST / HTTP/1.1
                0.2.kwlYObMOSn.exe.2fc4d38.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.kwlYObMOSn.exe.2fc4d38.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xc97a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xca17:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xcb2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xc2f7:$cnc4: POST / HTTP/1.1
                  0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 5 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Teams.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\XClient.exe, ProcessId: 5428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teams
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\XClient.exe, ProcessId: 5428, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 5428, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe", ProcessId: 1896, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XClient.exe" , ParentImage: C:\Users\user\AppData\Roaming\XClient.exe, ParentProcessId: 5428, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe", ProcessId: 1896, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Network Command
                    Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe" , ParentImage: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe, ParentProcessId: 2860, ParentProcessName: BootstrapperV1.23.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 2604, ProcessName: cmd.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-23T21:00:09.122437+010028033053Unknown Traffic192.168.2.549707172.67.203.125443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-23T21:02:40.792427+010028531931Malware Command and Control Activity Detected192.168.2.550028193.161.193.9933152TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: kwlYObMOSn.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: Cactus-33152.portmap.hostAvira URL Cloud: Label: malware
                    Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeAvira URL Cloud: Label: malware
                    Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Teams.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                    Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                    Found malware configuration
                    Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["Cactus-33152.portmap.host"], "Port": 33152, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\AppData\Roaming\Teams.exeReversingLabs: Detection: 83%
                    Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 83%
                    Multi AV Scanner detection for submitted file
                    Source: kwlYObMOSn.exeReversingLabs: Detection: 68%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Teams.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: kwlYObMOSn.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: Cactus-33152.portmap.host
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: 33152
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: <123456789>
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: <Xwormmm>
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: XWorm V5.2
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: USB.exe
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: %AppData%
                    Source: 4.0.XClient.exe.f20000.0.unpackString decryptor: Teams.exe
                    Source: kwlYObMOSn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: kwlYObMOSn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Numerics.pdb0D source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.pdbpH source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdb 0 source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp, WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.pdbH source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdbH source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Core.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: m.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2547594514.000001E6EE236000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Numerics.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49850 -> 193.161.193.99:33152
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50028 -> 193.161.193.99:33152
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: Cactus-33152.portmap.host
                    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 193.161.193.99:33152
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 172.67.203.125 172.67.203.125
                    Source: Joe Sandbox ViewIP Address: 193.161.193.99 193.161.193.99
                    Source: Joe Sandbox ViewIP Address: 128.116.119.3 128.116.119.3
                    Source: Joe Sandbox ViewASN Name: BITREE-ASRU BITREE-ASRU
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 172.67.203.125:443
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                    Source: global trafficDNS traffic detected: DNS query: Cactus-33152.portmap.host
                    Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                    Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                    Source: global trafficDNS traffic detected: DNS query: nodejs.org
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-lhr2.roblox.com
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                    Source: BootstrapperV1.23.exe.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68009A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4502717565.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                    Source: BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800D2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800AA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://getsolara.dev/api/endpoint.json
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680013000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://getsolara.dev/asset/discord.json
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                    Source: BootstrapperV1.23.exe.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49710 version: TLS 1.2

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeCode function: 2_2_00007FF848F525402_2_00007FF848F52540
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeCode function: 2_2_00007FF848F46DB02_2_00007FF848F46DB0
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeCode function: 2_2_00007FF848F449282_2_00007FF848F44928
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F216894_2_00007FF848F21689
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F284D24_2_00007FF848F284D2
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F277264_2_00007FF848F27726
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F20EFA4_2_00007FF848F20EFA
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F21FC14_2_00007FF848F21FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 10_2_00007FF848F3168910_2_00007FF848F31689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 10_2_00007FF848F30EFA10_2_00007FF848F30EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 10_2_00007FF848F31FC110_2_00007FF848F31FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 11_2_00007FF848F0168911_2_00007FF848F01689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 11_2_00007FF848F01FC111_2_00007FF848F01FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 11_2_00007FF848F00EFA11_2_00007FF848F00EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 17_2_00007FF848F1168917_2_00007FF848F11689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 17_2_00007FF848F10EFA17_2_00007FF848F10EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 17_2_00007FF848F11FC117_2_00007FF848F11FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 19_2_00007FF848F3168919_2_00007FF848F31689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 19_2_00007FF848F30EFA19_2_00007FF848F30EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 19_2_00007FF848F31FC119_2_00007FF848F31FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 20_2_00007FF848F2168920_2_00007FF848F21689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 20_2_00007FF848F20EFA20_2_00007FF848F20EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 20_2_00007FF848F21FC120_2_00007FF848F21FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 21_2_00007FF848F2168921_2_00007FF848F21689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 21_2_00007FF848F20EFA21_2_00007FF848F20EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 21_2_00007FF848F21FC121_2_00007FF848F21FC1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 22_2_00007FF848F3168922_2_00007FF848F31689
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 22_2_00007FF848F30EFA22_2_00007FF848F30EFA
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 22_2_00007FF848F31FC122_2_00007FF848F31FC1
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe 8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196
                    Source: kwlYObMOSn.exe, 00000000.00000000.2042845470.0000000000DDE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXevo.exe4 vs kwlYObMOSn.exe
                    Source: kwlYObMOSn.exe, 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs kwlYObMOSn.exe
                    Source: kwlYObMOSn.exeBinary or memory string: OriginalFilenameXevo.exe4 vs kwlYObMOSn.exe
                    Source: kwlYObMOSn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: kwlYObMOSn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: kwlYObMOSn.exe, Program.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Teams.exe.4.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@22/13@5/5
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeFile created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeMutant created: \Sessions\1\BaseNamedObjects\bKGK9XtDE4HepKISm
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\4QViFEjJzqTHCbHq
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2860
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeFile created: C:\Users\user\AppData\Local\Temp\node-v18.16.0-x64.msiJump to behavior
                    Source: kwlYObMOSn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: kwlYObMOSn.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: kwlYObMOSn.exeReversingLabs: Detection: 68%
                    Source: unknownProcess created: C:\Users\user\Desktop\kwlYObMOSn.exe "C:\Users\user\Desktop\kwlYObMOSn.exe"
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe "C:\Users\user\AppData\Roaming\Teams.exe"
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe "C:\Users\user\AppData\Roaming\Teams.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Teams.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: Teams.lnk.4.drLNK file: ..\..\..\..\..\Teams.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: kwlYObMOSn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: kwlYObMOSn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Numerics.pdb0D source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.pdbpH source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdb 0 source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp, WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Data.pdbH source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdbH source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Core.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: m.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2547594514.000001E6EE236000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Numerics.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.ni.pdb source: WER9337.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
                    Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
                    Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
                    Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
                    Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
                    Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeCode function: 0_2_00007FF848F200BD pushad ; iretd 0_2_00007FF848F200C1
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeCode function: 2_2_00007FF848F5D668 push ss; retf 2_2_00007FF848F5D837
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeCode function: 2_2_00007FF848F5A272 push ebx; retf 2_2_00007FF848F5A282
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeCode function: 2_2_00007FF848F400BD pushad ; iretd 2_2_00007FF848F400C1
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F21288 push ebx; retf FFEFh4_2_00007FF848F2134A
                    Source: C:\Users\user\AppData\Roaming\XClient.exeCode function: 4_2_00007FF848F200BD pushad ; iretd 4_2_00007FF848F200C1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 10_2_00007FF848F300BD pushad ; iretd 10_2_00007FF848F300C1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 17_2_00007FF848F100BD pushad ; iretd 17_2_00007FF848F100C1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 19_2_00007FF848F300BD pushad ; iretd 19_2_00007FF848F300C1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 20_2_00007FF848F200BD pushad ; iretd 20_2_00007FF848F200C1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 21_2_00007FF848F200BD pushad ; iretd 21_2_00007FF848F200C1
                    Source: C:\Users\user\AppData\Roaming\Teams.exeCode function: 22_2_00007FF848F300BD pushad ; iretd 22_2_00007FF848F300C1
                    Source: kwlYObMOSn.exeStatic PE information: section name: .text entropy: 7.998505878740895
                    Source: XClient.exe.0.dr, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.csHigh entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
                    Source: XClient.exe.0.dr, Uc3BjQmcdurs1N4Pk8uOPT3r.csHigh entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
                    Source: XClient.exe.0.dr, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
                    Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.csHigh entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
                    Source: XClient.exe.0.dr, uC4bX9qmnfDttpZXgexIMCB3.csHigh entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
                    Source: XClient.exe.0.dr, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.csHigh entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
                    Source: XClient.exe.0.dr, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.csHigh entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
                    Source: XClient.exe.0.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csHigh entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
                    Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.csHigh entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
                    Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csHigh entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.csHigh entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, Uc3BjQmcdurs1N4Pk8uOPT3r.csHigh entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.csHigh entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, uC4bX9qmnfDttpZXgexIMCB3.csHigh entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.csHigh entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.csHigh entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csHigh entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.csHigh entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
                    Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csHigh entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.csHigh entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, Uc3BjQmcdurs1N4Pk8uOPT3r.csHigh entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.csHigh entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, uC4bX9qmnfDttpZXgexIMCB3.csHigh entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.csHigh entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.csHigh entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csHigh entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.csHigh entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
                    Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csHigh entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
                    Source: Teams.exe.4.dr, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.csHigh entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
                    Source: Teams.exe.4.dr, Uc3BjQmcdurs1N4Pk8uOPT3r.csHigh entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
                    Source: Teams.exe.4.dr, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
                    Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.csHigh entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
                    Source: Teams.exe.4.dr, uC4bX9qmnfDttpZXgexIMCB3.csHigh entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
                    Source: Teams.exe.4.dr, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.csHigh entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
                    Source: Teams.exe.4.dr, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.csHigh entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
                    Source: Teams.exe.4.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.csHigh entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
                    Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.csHigh entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
                    Source: Teams.exe.4.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.csHigh entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'

                    Persistence and Installation Behavior

                    barindex
                    Uses ipconfig to lookup or modify the Windows network settings
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\Teams.exeJump to dropped file
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeFile created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeJump to dropped file
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnkJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnkJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TeamsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TeamsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeMemory allocated: 1620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeMemory allocated: 1AFA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeMemory allocated: 1E6EBDA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeMemory allocated: 1E6EDAE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeMemory allocated: 1B160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1AA20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1AF10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1210000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1A9F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1560000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1AEE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 11B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1AE70000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: B30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1A900000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 690000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Teams.exeMemory allocated: 1A1E0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598521Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598382Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598266Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598141Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597934Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597813Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597454Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597329Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597204Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597079Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596583Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596454Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596339Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596073Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595793Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595079Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594579Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594454Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594329Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594204Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594079Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 593954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 593829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 593704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeWindow / User API: threadDelayed 4143Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeWindow / User API: threadDelayed 5650Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWindow / User API: threadDelayed 7359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWindow / User API: threadDelayed 2495Jump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exe TID: 5028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599438s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599313s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -599063s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598953s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598844s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598521s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598382s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598266s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -598141s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597934s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597813s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597704s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597579s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597454s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597329s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597204s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -597079s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596954s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596829s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596704s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596583s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596454s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596339s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596219s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -596073s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595922s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595793s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595563s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595438s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595313s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -595079s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594954s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594829s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594704s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594579s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594454s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594329s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594204s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -594079s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -593954s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -593829s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960Thread sleep time: -593704s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6196Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 2924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 1856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 3524Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 2124Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5256Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5032Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598521Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598382Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598266Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 598141Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597934Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597813Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597454Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597329Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597204Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 597079Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596583Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596454Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596339Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 596073Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595793Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 595079Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594579Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594454Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594329Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594204Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 594079Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 593954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 593829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeThread delayed: delay time: 593704Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Teams.exeThread delayed: delay time: 922337203685477
                    Source: Amcache.hve.14.drBinary or memory string: VMware
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: kwlYObMOSn.exe, 00000000.00000002.2052402034.0000000001256000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.14.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
                    Source: XClient.exe, 00000004.00000002.4506642415.000000001C130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"/>
                    Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: XClient.exe, 00000004.00000002.4501579682.0000000001460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Teams.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: BootstrapperV1.23.exe PID: 2860, type: MEMORYSTR
                    Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeProcess created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeQueries volume information: C:\Users\user\Desktop\kwlYObMOSn.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeQueries volume information: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\XClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
                    Source: C:\Users\user\Desktop\kwlYObMOSn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: XClient.exe, 00000004.00000002.4501579682.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4501579682.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4506642415.000000001C130000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4506642415.000000001C1BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\XClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kwlYObMOSn.exe PID: 4080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 5428, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kwlYObMOSn.exe PID: 4080, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 5428, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Query Registry                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory231
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS141
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem13
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561585 Sample: kwlYObMOSn.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 51 Cactus-33152.portmap.host 2->51 53 www.nodejs.org 2->53 55 6 other IPs or domains 2->55 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 9 kwlYObMOSn.exe 4 2->9         started        12 Teams.exe 1 2->12         started        15 Teams.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 file5 45 C:\Users\user\AppData\Roaming\XClient.exe, PE32 9->45 dropped 47 C:\Users\user\...\BootstrapperV1.23.exe, PE32+ 9->47 dropped 49 C:\Users\user\AppData\...\kwlYObMOSn.exe.log, CSV 9->49 dropped 19 XClient.exe 1 5 9->19         started        24 BootstrapperV1.23.exe 14 8 9->24         started        83 Antivirus detection for dropped file 12->83 85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 signatures6 process7 dnsIp8 57 Cactus-33152.portmap.host 193.161.193.99, 33152, 49706, 49709 BITREE-ASRU Russian Federation 19->57 41 C:\Users\user\AppData\Roaming\Teams.exe, PE32 19->41 dropped 73 Antivirus detection for dropped file 19->73 75 Multi AV Scanner detection for dropped file 19->75 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->77 81 2 other signatures 19->81 26 schtasks.exe 1 19->26         started        59 edge-term4-lhr2.roblox.com 128.116.119.3, 443, 49708 ROBLOX-PRODUCTIONUS United States 24->59 61 www.nodejs.org 104.20.22.46, 443, 49710 CLOUDFLARENETUS United States 24->61 63 2 other IPs or domains 24->63 43 \Device\ConDrv, ISO-8859 24->43 dropped 79 Machine Learning detection for dropped file 24->79 28 cmd.exe 1 24->28         started        31 WerFault.exe 19 16 24->31         started        33 conhost.exe 24->33         started        file9 signatures10 process11 signatures12 35 conhost.exe 26->35         started        89 Uses ipconfig to lookup or modify the Windows network settings 28->89 37 ipconfig.exe 1 28->37         started        39 conhost.exe 28->39         started        process13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    kwlYObMOSn.exe68%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    kwlYObMOSn.exe100%AviraTR/Dropper.Gen
                    kwlYObMOSn.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Teams.exe100%AviraHEUR/AGEN.1305769
                    C:\Users\user\AppData\Roaming\XClient.exe100%AviraHEUR/AGEN.1305769
                    C:\Users\user\AppData\Roaming\Teams.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe63%ReversingLabsWin64.Trojan.Heracles
                    C:\Users\user\AppData\Roaming\Teams.exe83%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    C:\Users\user\AppData\Roaming\XClient.exe83%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://discord.com;http://127.0.0.1:6463/rpc?v=110%Avira URL Cloudsafe
                    http://127.0.0.1:646320%Avira URL Cloudsafe
                    Cactus-33152.portmap.host100%Avira URL Cloudmalware
                    https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe100%Avira URL Cloudmalware
                    https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    Cactus-33152.portmap.host
                    		193.161.193.99
                    		truetrue
                      		unknown
                      nodejs.org
                      		104.20.23.46
                      		truefalse
                        		high
                        getsolara.dev
                        		172.67.203.125
                        		truefalse
                          		high
                          www.nodejs.org
                          		104.20.22.46
                          		truefalse
                            		high
                            edge-term4-lhr2.roblox.com
                            		128.116.119.3
                            		truefalse
                              		high
                              clientsettings.roblox.com
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                Cactus-33152.portmap.hosttrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://getsolara.dev/asset/discord.jsonfalse
                                  		high
                                  https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                    		high
                                    https://getsolara.dev/api/endpoint.jsonfalse
                                      		high
                                      https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://127.0.0.1:6463BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.nodejs.orgBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nodejs.orgBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://discord.comBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ncs.roblox.com/uploadBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.nodejs.orgBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://upx.sf.netAmcache.hve.14.drfalse
                                                      		high
                                                      http://james.newtonking.com/projects/jsonBootstrapperV1.23.exe.0.drfalse
                                                        		high
                                                        http://getsolara.devBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://discord.com;http://127.0.0.1:6463/rpc?v=11BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aka.ms/vs/17/release/vc_redist.x64.exeBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                            		high
                                                            https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800D2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.jsonBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                              		high
                                                              http://edge-term4-lhr2.roblox.comBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://getsolara.devBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800AA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.jsonBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                    		high
                                                                    http://127.0.0.1:64632BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.newtonsoft.com/jsonschemaBootstrapperV1.23.exe.0.drfalse
                                                                      		high
                                                                      https://www.nuget.org/packages/Newtonsoft.Json.BsonBootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                        		high
                                                                        http://nodejs.orgBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://127.0.0.1:6463/rpc?v=1BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68009A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4502717565.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://clientsettings.roblox.comBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msiBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680175000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://pastebin.com/raw/pjseRvyKBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                                    		high
                                                                                    https://clientsettings.roblox.comBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeBootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      172.67.203.125
                                                                                      		getsolara.devUnited States
                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                      193.161.193.99
                                                                                      		Cactus-33152.portmap.hostRussian Federation
                                                                                      		198134BITREE-ASRUtrue
                                                                                      128.116.119.3
                                                                                      		edge-term4-lhr2.roblox.comUnited States
                                                                                      		22697ROBLOX-PRODUCTIONUSfalse
                                                                                      104.20.22.46
                                                                                      		www.nodejs.orgUnited States
                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                      Private

                                                                                      IP
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1561585
                                                                                      Start date and time:2024-11-23 20:59:07 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 8m 46s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:23
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:kwlYObMOSn.exe
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.evad.winEXE@22/13@5/5
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 10%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 97%
                                                                                      • Number of executed functions: 231
                                                                                      • Number of non-executed functions: 5
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Execution Graph export aborted for target BootstrapperV1.23.exe, PID 2860 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 1892 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 3288 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 4196 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 5168 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 5988 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 6112 because it is empty
                                                                                      • Execution Graph export aborted for target Teams.exe, PID 6172 because it is empty
                                                                                      • Execution Graph export aborted for target kwlYObMOSn.exe, PID 4080 because it is empty
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                      • VT rate limit hit for: kwlYObMOSn.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      15:00:05API Interceptor13749857x Sleep call for process: XClient.exe modified
                                                                                      15:00:06API Interceptor72x Sleep call for process: BootstrapperV1.23.exe modified
                                                                                      15:00:49API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                      21:00:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Teams C:\Users\user\AppData\Roaming\Teams.exe
                                                                                      21:00:07Task SchedulerRun new task: Teams path: C:\Users\user\AppData\Roaming\Teams.exe
                                                                                      21:00:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Teams C:\Users\user\AppData\Roaming\Teams.exe
                                                                                      21:00:21AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      172.67.203.125IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                        SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                          cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                              hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                                    BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                          193.161.193.99Yq5Gp2g2vB.exeGet hashmaliciousRedLineBrowse
                                                                                                          • okmaq-24505.portmap.host:24505/
                                                                                                          JnBNepHH7K.exeGet hashmaliciousAsyncRAT RedLineBrowse
                                                                                                          • exara32-64703.portmap.host:64703/
                                                                                                          99SKW728vf.exeGet hashmaliciousRedLineBrowse
                                                                                                          • lottie9nwtina-55339.portmap.host:55339/
                                                                                                          amazoninvoiceAF0388d83739dee83479171dbcf.exeGet hashmaliciousRedLineBrowse
                                                                                                          • tete2792-22120.portmap.host:22120//
                                                                                                          128.116.119.3bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                              SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445Get hashmaliciousUnknownBrowse
                                                                                                                  https://shrturl.net/pmf-gx3nGet hashmaliciousUnknownBrowse
                                                                                                                    RFAwChXSve.exeGet hashmaliciousDCRatBrowse

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      www.nodejs.orgbootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      getsolara.devbootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.93.27
                                                                                                                      bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.93.27
                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                      • 104.21.93.27
                                                                                                                      KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 104.21.93.27
                                                                                                                      AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 104.21.93.27
                                                                                                                      IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      nodejs.orgbootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.22.46
                                                                                                                      oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.23.46
                                                                                                                      hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 104.20.22.46

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      BITREE-ASRUhttps://fxwf9-53194.portmap.io:53194/?x=sb232111Get hashmaliciousUnknownBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      invoice263886766 AWB.vbsGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      https://E.vg/FoedcaVhTGet hashmaliciousUnknownBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      meN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      iLPxdpxQ3e.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      JJSPLOIT.V2.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      FudAm.batGet hashmaliciousQuasarBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      runme.batGet hashmaliciousQuasarBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      Am.ps1Get hashmaliciousQuasarBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      1.ps1Get hashmaliciousQuasarBrowse
                                                                                                                      • 193.161.193.99
                                                                                                                      ROBLOX-PRODUCTIONUSbootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 128.116.119.3
                                                                                                                      bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 128.116.119.3
                                                                                                                      8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                      • 128.116.123.3
                                                                                                                      KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 128.116.123.3
                                                                                                                      AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 128.116.44.3
                                                                                                                      IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 128.116.44.4
                                                                                                                      SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 128.116.123.4
                                                                                                                      la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 128.116.110.16
                                                                                                                      cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 128.116.21.4
                                                                                                                      oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 128.116.123.4
                                                                                                                      CLOUDFLARENETUShttps://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.25.14
                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                      • 104.21.33.116
                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                      • 172.64.41.3
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 104.21.33.116
                                                                                                                      cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 162.159.128.233
                                                                                                                      http://elizgallery.com/js.phpGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.64.41.3
                                                                                                                      https://elizgallery.com/nazvanie.jsGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.22.0.204
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 172.67.162.84
                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                      • 172.67.162.84
                                                                                                                      https://myqrcode.mobi/qr/3c3aa5e1/viewGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.20.8

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      psol.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46
                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 172.67.203.125
                                                                                                                      • 128.116.119.3
                                                                                                                      • 104.20.22.46

                                                                                                                      Dropped Files

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                        KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                                          Created / dropped Files

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_b3bef142175e2c9feedfe8f06a73673fcbfff2_9c4008b6_55181495-87bb-4c66-9a44-3854d34aea5d\Report.wer

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):65536
                                                                                                                          Entropy (8bit):1.2671348489429193
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:H1wgcswr0bU9+dQVaWxejol2/fsLzuiFvZ24lO8F:OgcsPbG+dQVaml23sLzuiFvY4lO8F
                                                                                                                          MD5:98CDE6EACCCBD6E095E2E545F945BFE7
                                                                                                                          SHA1:E8774E2ED387E7FB226A4781F0DD4E452068B76A
                                                                                                                          SHA-256:D9C4EAE29A26D430BDA2C776CC5B7B1C9F32677D0F48E98B612478DF33E62E22
                                                                                                                          SHA-512:C52AE114C82720A3A1C23D596B73C05B1E90F3CF35DEF8DAF82CB7749E9901812864B5FDEE3BDBD2487ECFBC3B268567744FD9BAA118FC8B7285CF940D790B6F
                                                                                                                          Malicious:false
                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.6.5.6.1.5.0.7.9.1.4.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.6.5.6.1.6.2.6.6.6.2.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.1.8.1.4.9.5.-.8.7.b.b.-.4.c.6.6.-.9.a.4.4.-.3.8.5.4.d.3.4.a.e.a.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.d.6.d.1.e.a.-.1.1.f.1.-.4.2.e.3.-.9.5.4.d.-.f.3.6.0.2.8.f.5.d.9.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r.V.1...2.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.2.c.-.0.0.0.1.-.0.0.1.4.-.0.4.6.f.-.8.0.4.7.e.2.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.2.3.1.a.4.6.7.a.4.9.c.c.3.7.7.6.8.e.e.a.0.f.5.5.f.4.b.e.a.1.c.b.f.

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9337.tmp.dmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:Mini DuMP crash report, 16 streams, Sat Nov 23 20:00:15 2024, 0x1205a4 type
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):603646
                                                                                                                          Entropy (8bit):3.307347295263333
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:yfyDzrySV6kN8OvtKdqyuyq3IpA2OiK0nAc3QK/P:y8rySV46yq3IpA2OizQ
                                                                                                                          MD5:1CF39890037C7C4017E35D7566788C2E
                                                                                                                          SHA1:FA9BBB18E2BFDD4FB629BF0C2FB85AF5B8C794CB
                                                                                                                          SHA-256:639053F7FDAC259CA802D40975E941A3A603C36BD20D6531E15FC6233AA126B2
                                                                                                                          SHA-512:9A81D37C7CCE43EDCF46A06319DEBE7AC2B76E222F7FAAE08E4E78F13607D2F16948A8B86CEC7B28A1108AB7E548567206367DB9BFA16CACC3B0EA8578E910A8
                                                                                                                          Malicious:false
                                                                                                                          Preview:MDMP..a..... .......O4Bg............4...........<...T.......<....)...........)......tT..............l.......8...........T............V...............E...........G..............................................................................eJ......dH......Lw......................T.......,...@4Bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9701.tmp.WERInternalMetadata.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6824
                                                                                                                          Entropy (8bit):3.7187814624713535
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:R6l7wVeJQVZio5gbYZK8Ypru89baCUfsem:R6lXJyZiUgbYAJapfc
                                                                                                                          MD5:342E319241D85DE8AF523DED652C0C72
                                                                                                                          SHA1:77396E79DC66DC75DDAC61265E3FDCE7612C91D6
                                                                                                                          SHA-256:FE07ADB460C4859283FA9A2054B7689EB9BB771103D574C20B485AF2E6CBE8BC
                                                                                                                          SHA-512:82DF750482004E3EDDF12A1D01B6FEAEFDBBE0DC06DA822F22E9F9BCC15493FED41DFF476BF57A80F90258BAFE2CFE44215D8BBA6063A2569162C10FC45F963A
                                                                                                                          Malicious:false
                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.6.0.<./.P.i.

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9731.tmp.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4834
                                                                                                                          Entropy (8bit):4.464854798453406
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:cvIwWl8zs0Jg771I9pOWpW8VY3Ym8M4JQKy/FMNlyq8vay4Dx5b5Ud:uIjfyI7mv7VbJzWGf1Ud
                                                                                                                          MD5:C2B14730949DC8304808266C5785100F
                                                                                                                          SHA1:E2D3CA390F32DE893A461301F6CF3DEB383D91B4
                                                                                                                          SHA-256:4F5DB76274A7E33C7C2AEBBA28F5B2B7725C89847A55A6BB2E3809DE85866ADA
                                                                                                                          SHA-512:CD43810FC93035201FC1850E951C2CCD788460702A303299E830CE797F97FC4846B63FD777EB3FECACB3898A68B9339E1F5FFA0A4204C8B9CB8E455890179B5A
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="601142" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Teams.exe.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          File Type:CSV text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):654
                                                                                                                          Entropy (8bit):5.380476433908377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                          Malicious:false
                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kwlYObMOSn.exe.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\kwlYObMOSn.exe
                                                                                                                          File Type:CSV text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):654
                                                                                                                          Entropy (8bit):5.380476433908377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                          Malicious:true
                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                          C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\kwlYObMOSn.exe
                                                                                                                          File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):819200
                                                                                                                          Entropy (8bit):5.598261375667174
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
                                                                                                                          MD5:02C70D9D6696950C198DB93B7F6A835E
                                                                                                                          SHA1:30231A467A49CC37768EEA0F55F4BEA1CBFB48E2
                                                                                                                          SHA-256:8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
                                                                                                                          SHA-512:431D9B9918553BFF4F4A5BC2A5E7B7015F8AD0E2D390BB4D5264D08983372424156524EF5587B24B67D1226856FC630AACA08EDC8113097E0094501B4F08EFEB
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: 8Hd0ZExgJz.exe, Detection: malicious, Browse
                                                                                                                          • Filename: KKjubdmzCR.exe, Detection: malicious, Browse
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."......v............... ....@...... ....................................`.................................................4...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH...........|............................................................0..R.......(....:....*r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&*.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o......*.......8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(......*.....(....~....%:....&~......*...s....%.....(...+*...0..l.........(....r...p(....(....r\..p.

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:00:05 2024, mtime=Sat Nov 23 19:00:05 2024, atime=Sat Nov 23 19:00:05 2024, length=68096, window=hide
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):753
                                                                                                                          Entropy (8bit):5.00342396501985
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:8b04f+88CQTlsY//49ESLAItXZClWUjAMHENlWtmxMxfmV:8RfF8lZwmsAqslWAA7NlWtSEfm
                                                                                                                          MD5:9A1C13C1DFEAC2E49524050A020BD8EE
                                                                                                                          SHA1:98B322C0AAC3D3878086E5E99A19E2B453B3E581
                                                                                                                          SHA-256:827618C840CB935EFFEEF5250C80F520D80F988EB133CE9198D2149C146C3B03
                                                                                                                          SHA-512:43021A195DEF58249A7750DD35BE88F5FB66BC8C633A004E016B042E4EF37069311FF5667A9CDBAC627BC7B43A5EA8BE73CB00BD6B8217513AFA3E72CA1B496C
                                                                                                                          Malicious:false
                                                                                                                          Preview:L..................F.... ...2~.J.=..2~.J.=..2~.J.=..........................p.:..DG..Yr?.D..U..k0.&...&...... M.......BC.=....GJ.=......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlwY}.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....wY....Roaming.@......DWSlwY......C........................R.o.a.m.i.n.g.....\.2.....wY.. .Teams.exe.D......wY..wY...... ......................(o.T.e.a.m.s...e.x.e.......X...............-.......W............E......C:\Users\user\AppData\Roaming\Teams.exe........\.....\.....\.....\.....\.T.e.a.m.s...e.x.e.`.......X.......784794...........hT..CrF.f4... ...2=.b...,...W..hT..CrF.f4... ...2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                          C:\Users\user\AppData\Roaming\Teams.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):68096
                                                                                                                          Entropy (8bit):6.020738658795511
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:0QPbpWkVHai1Ub2rFRIdxRmKVMKokb4R9rAooBsh6bgOP+l:0QDpWk6Jb6+xVMKokb4RndOP+l
                                                                                                                          MD5:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          SHA1:DD32A84C4BFF58262FECB1511FBDBECDAC2B8045
                                                                                                                          SHA-256:63988792736CC57B3B93735662A660A4229D76E487D3D59ABC0AE17BC05050A5
                                                                                                                          SHA-512:51E5CA643E3E7576F073207EE854B10CF9DC61434670D20AFE771AAAFBBD883FF5A09CC471C5B5E2334BE5FF4C8E83B32722E7A8F29F5C61379B225191E98F98
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Teams.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Teams.exe, Author: ditekSHen
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.6g................................. ... ....@.. .......................`............@.................................X...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,X..,.......&.....................................................(....*.r...p*. .#..*..(....*.r#..p*. S...*.s.........s.........s.........s.........*.r...p*. .W..*.r...p*.rN..p*. ..9.*.r...p*. ..%.*.r...p*. .x!.*..((...*.rS..p*. .O..*.r...p*. p.+.*&(....&+.*.+5sR... .... .'..oS...(*...~....-.(A...(3...~....oT...&.-.*.r{..p*. ..Q.*.r4..p*. *p{.*.r...p*. o...*.r1..p*. .V..*..............j..................sU..............*"(C...+.*:.t....(>...+.*.r{..p*. .(T.*.r...p*.

                                                                                                                          C:\Users\user\AppData\Roaming\XClient.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\kwlYObMOSn.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):68096
                                                                                                                          Entropy (8bit):6.020738658795511
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:0QPbpWkVHai1Ub2rFRIdxRmKVMKokb4R9rAooBsh6bgOP+l:0QDpWk6Jb6+xVMKokb4RndOP+l
                                                                                                                          MD5:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          SHA1:DD32A84C4BFF58262FECB1511FBDBECDAC2B8045
                                                                                                                          SHA-256:63988792736CC57B3B93735662A660A4229D76E487D3D59ABC0AE17BC05050A5
                                                                                                                          SHA-512:51E5CA643E3E7576F073207EE854B10CF9DC61434670D20AFE771AAAFBBD883FF5A09CC471C5B5E2334BE5FF4C8E83B32722E7A8F29F5C61379B225191E98F98
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.6g................................. ... ....@.. .......................`............@.................................X...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,X..,.......&.....................................................(....*.r...p*. .#..*..(....*.r#..p*. S...*.s.........s.........s.........s.........*.r...p*. .W..*.r...p*.rN..p*. ..9.*.r...p*. ..%.*.r...p*. .x!.*..((...*.rS..p*. .O..*.r...p*. p.+.*&(....&+.*.+5sR... .... .'..oS...(*...~....-.(A...(3...~....oT...&.-.*.r{..p*. ..Q.*.r4..p*. *p{.*.r...p*. o...*.r1..p*. .V..*..............j..................sU..............*"(C...+.*:.t....(>...+.*.r{..p*. .(T.*.r...p*.

                                                                                                                          C:\Users\user\Desktop\DISCORD

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):103
                                                                                                                          Entropy (8bit):4.081427527984575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                                          MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                                          SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                                          SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                                          SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1835008
                                                                                                                          Entropy (8bit):4.421796526248881
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:8Svfpi6ceLP/9skLmb0OT5WSPHaJG8nAgeMZMMhA2fX4WABlEnNE0uhiTw:nvloT5W+EZMM6DFyK03w
                                                                                                                          MD5:81A1AA30793DD8171DDB48E3695E336C
                                                                                                                          SHA1:CE3A89F8B7ED7728A8411D7FFFE11667F622DB07
                                                                                                                          SHA-256:4D5D6EB65BD43D5F68F21A4A450AB3ECACBCA3E037E0537A739B9C70DD6D79BA
                                                                                                                          SHA-512:070F4EE46A5D7F8FCC2A682F60EBFCE44E63A4450CBD2D25D2C066924D488912A229EF517EBA8EC0216C50B1807969C681E0CB0CAD920B148E3CCE3AE424378A
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmF..O.=...............................................................................................................................................................................................................................................................................................................................................G.{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          \Device\ConDrv

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):571
                                                                                                                          Entropy (8bit):4.9398118662542965
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
                                                                                                                          MD5:5294778E41EE83E1F1E78B56466AD690
                                                                                                                          SHA1:348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
                                                                                                                          SHA-256:3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
                                                                                                                          SHA-512:381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                          Preview:.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                          Entropy (8bit):7.996910042858342
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                          File name:kwlYObMOSn.exe
                                                                                                                          File size:897'536 bytes
                                                                                                                          MD5:f28a1fb54a5c3b2b4e4184e3dff4f50a
                                                                                                                          SHA1:180878512f7cd7c75c87fff174203228de688d34
                                                                                                                          SHA256:3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e
                                                                                                                          SHA512:b15a376ed2370dd0c338a6736c450cfb6ae7b670a69e3b54eb2105a19cf6e4b7cecbbed1c96bc91db1653a3106d873f889e5788a83eff874c1341cfd7adc39c4
                                                                                                                          SSDEEP:24576:dAt5/Yxh3QlHPSZtbd1aRu8w2BdgXKhzm1OtH6nNnKAAAG/AA14eF0oayiw:m5ucEbr8PgXKhqItH6nNnKAAAG/AA14f
                                                                                                                          TLSH:10152359F5F13222EB65EBBF0FF8A9014CF057226203194FF328351D94B55E646BA24E
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.6g................................. ........@.. ....................... ............@................................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x4dc6ce
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x67369F71 [Fri Nov 15 01:10:09 2024 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax], al

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xdc6780x53.text
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x4d0.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x20000xda6d40xda80063a2167270a33cbff4f34a97e2c9500dFalse0.9395816200657895data7.998505878740895IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0xde0000x4d00x600184937c6229aad767aedda4cfa4a4f16False0.375data3.7002969536945476IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .reloc0xe00000xc0x2000cf50d5b905ebadd8448137df7b814a8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_VERSION0xde0a00x23cdata0.4772727272727273
                                                                                                                          RT_MANIFEST0xde2e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-11-23T21:00:09.122437+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549707172.67.203.125443TCP
                                                                                                                          2024-11-23T21:01:12.622457+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549850193.161.193.9933152TCP
                                                                                                                          2024-11-23T21:02:40.792427+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.550028193.161.193.9933152TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Nov 23, 2024 21:00:03.299864054 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:03.299899101 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:03.299959898 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:03.445008039 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:03.445030928 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:04.765207052 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:04.765346050 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:04.771785975 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:04.771801949 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:04.772037983 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:04.812753916 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:04.828233957 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:04.871335983 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:05.262703896 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:05.262813091 CET44349704172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:05.262887001 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:05.279489040 CET49704443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:07.261588097 CET4970633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:07.348407030 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:07.348470926 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:07.348553896 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:07.349716902 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:07.349747896 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:07.386845112 CET3315249706193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:07.386962891 CET4970633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:07.514628887 CET4970633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:07.636244059 CET3315249706193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:08.615365028 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:08.615477085 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:08.617176056 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:08.617225885 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:08.617475986 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:08.672152042 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:08.701483965 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:08.747332096 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:09.122443914 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:09.122570992 CET44349707172.67.203.125192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:09.122631073 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:09.123128891 CET49707443192.168.2.5172.67.203.125
                                                                                                                          Nov 23, 2024 21:00:09.606074095 CET3315249706193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:09.606162071 CET4970633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:09.704185963 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:09.704221010 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:09.704307079 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:09.704593897 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:09.704610109 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.225498915 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.225619078 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:11.228952885 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:11.228965998 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.229217052 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.270900965 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:11.315331936 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.859807968 CET4970633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:11.862204075 CET4970933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:11.971838951 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.971924067 CET44349708128.116.119.3192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.971987009 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:11.972378016 CET49708443192.168.2.5128.116.119.3
                                                                                                                          Nov 23, 2024 21:00:11.981117010 CET3315249706193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.982709885 CET3315249709193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:11.982791901 CET4970933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:11.998296022 CET4970933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:12.122009039 CET3315249709193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:13.660742044 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:13.660794020 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:13.660954952 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:13.661197901 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:13.661216974 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:14.240144014 CET3315249709193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:14.240221024 CET4970933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:14.939510107 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:14.939584970 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:14.941447973 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:14.941458941 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:14.941822052 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:14.943999052 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:14.991355896 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:15.516002893 CET4970933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:15.517836094 CET4971133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:15.642441988 CET3315249709193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:15.644200087 CET3315249711193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:15.644282103 CET4971133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:15.658325911 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:15.658463955 CET44349710104.20.22.46192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:15.658519983 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:15.658898115 CET49710443192.168.2.5104.20.22.46
                                                                                                                          Nov 23, 2024 21:00:15.703146935 CET4971133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:15.822837114 CET3315249711193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:17.871303082 CET3315249711193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:17.873156071 CET4971133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:19.186677933 CET4971133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:19.191452980 CET4971533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:19.306468964 CET3315249711193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:19.311083078 CET3315249715193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:19.311211109 CET4971533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:19.630975008 CET4971533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:19.752804995 CET3315249715193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:21.521542072 CET3315249715193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:21.521755934 CET4971533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:23.392069101 CET4971533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:23.394730091 CET4972733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:23.511732101 CET3315249715193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:23.514270067 CET3315249727193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:23.514410019 CET4972733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:23.534077883 CET4972733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:23.654139042 CET3315249727193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:25.771286964 CET3315249727193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:25.771368980 CET4972733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:26.734819889 CET4972733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:26.736030102 CET4973433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:26.968583107 CET3315249727193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:26.968615055 CET3315249734193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:26.968794107 CET4973433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:27.000791073 CET4973433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:27.120539904 CET3315249734193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:29.187747002 CET3315249734193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:29.188133001 CET4973433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:31.891154051 CET4973433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:31.893466949 CET4974533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:32.017563105 CET3315249734193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:32.020026922 CET3315249745193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:32.020153999 CET4974533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:32.055676937 CET4974533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:32.175298929 CET3315249745193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:34.322139025 CET3315249745193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:34.323489904 CET4974533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:36.203557014 CET4974533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:36.205538034 CET4975733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:36.324210882 CET3315249745193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:36.326049089 CET3315249757193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:36.326167107 CET4975733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:36.342494011 CET4975733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:36.462790012 CET3315249757193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:38.575720072 CET3315249757193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:38.575850010 CET4975733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:40.719305038 CET4975733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:40.720619917 CET4977033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:40.845870018 CET3315249757193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:40.847115993 CET3315249770193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:40.847230911 CET4977033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:40.865673065 CET4977033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:40.987579107 CET3315249770193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:43.147207022 CET3315249770193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:43.147402048 CET4977033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:45.172965050 CET4977033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:45.174609900 CET4978333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:45.298563957 CET3315249770193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:45.300383091 CET3315249783193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:45.300467968 CET4978333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:45.319127083 CET4978333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:45.445641994 CET3315249783193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:47.506131887 CET3315249783193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:47.506221056 CET4978333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:48.552093983 CET4978333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:48.567024946 CET4979033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:48.674752951 CET3315249783193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:48.689627886 CET3315249790193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:48.689727068 CET4979033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:48.765028954 CET4979033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:48.891381979 CET3315249790193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:51.044101954 CET3315249790193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:51.044169903 CET4979033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:52.266100883 CET4979033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:52.267388105 CET4980333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:52.388396978 CET3315249790193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:52.389782906 CET3315249803193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:52.389852047 CET4980333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:52.405474901 CET4980333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:52.529812098 CET3315249803193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:54.559479952 CET3315249803193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:54.559575081 CET4980333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:55.219149113 CET4980333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:55.220257044 CET4980933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:55.340595007 CET3315249803193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:55.341862917 CET3315249809193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:55.344110012 CET4980933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:55.358158112 CET4980933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:55.651221037 CET3315249809193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:57.772011042 CET3315249809193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:57.773206949 CET4980933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:57.878268957 CET4980933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:57.879410028 CET4981533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:57.997936964 CET3315249809193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:57.998982906 CET3315249815193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:57.999082088 CET4981533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:58.014273882 CET4981533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:00:58.140716076 CET3315249815193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:00.262073040 CET3315249815193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:00.262259960 CET4981533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:01.469096899 CET4981533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:01.470441103 CET4982733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:01.589571953 CET3315249815193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:01.590214014 CET3315249827193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:01.590316057 CET4982733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:01.604844093 CET4982733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:01.724407911 CET3315249827193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:03.818872929 CET3315249827193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:03.818943024 CET4982733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:03.844400883 CET4982733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:03.846652985 CET4983333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:03.989620924 CET3315249827193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:03.989640951 CET3315249833193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:03.989732027 CET4983333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:04.007136106 CET4983333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:04.126966953 CET3315249833193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:06.200140953 CET3315249833193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:06.200223923 CET4983333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:06.859869003 CET4983333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:06.860991955 CET4983933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:06.980654001 CET3315249833193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:06.981775999 CET3315249839193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:06.981854916 CET4983933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:06.996658087 CET4983933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:07.121910095 CET3315249839193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:09.356677055 CET3315249839193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:09.356787920 CET4983933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:09.609901905 CET4983933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:09.610963106 CET4984533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:09.734100103 CET3315249839193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:09.735075951 CET3315249845193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:09.735163927 CET4984533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:09.751357079 CET4984533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:09.870971918 CET3315249845193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:11.975301027 CET3315249845193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:11.975450993 CET4984533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:11.984908104 CET4984533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:11.988428116 CET4985033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:12.104592085 CET3315249845193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:12.108231068 CET3315249850193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:12.108923912 CET4985033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:12.136013031 CET4985033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:12.255645037 CET3315249850193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:12.622457027 CET4985033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:12.774574995 CET3315249850193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:14.319156885 CET3315249850193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:14.319384098 CET4985033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:17.922445059 CET4985033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:17.926841974 CET4986333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:18.042232037 CET3315249850193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:18.046396971 CET3315249863193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:18.047405005 CET4986333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:18.243248940 CET4986333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:18.363203049 CET3315249863193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:20.216532946 CET3315249863193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:20.223373890 CET4986333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:23.422841072 CET4986333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:23.425652981 CET4987833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:23.545886040 CET3315249863193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:23.548445940 CET3315249878193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:23.548543930 CET4987833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:23.577423096 CET4987833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:23.716734886 CET3315249878193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:25.781775951 CET3315249878193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:25.781963110 CET4987833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:28.938066959 CET4987833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:28.940043926 CET4989133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:29.058788061 CET3315249878193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:29.060421944 CET3315249891193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:29.060520887 CET4989133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:29.095881939 CET4989133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:29.218436956 CET3315249891193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:29.218511105 CET4989133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:29.338110924 CET3315249891193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:31.335202932 CET3315249891193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:31.335278034 CET4989133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:34.220731974 CET4989133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:34.220973969 CET4990233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:34.340869904 CET3315249891193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:34.341259956 CET3315249902193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:34.344465017 CET4990233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:34.529293060 CET4990233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:34.648889065 CET3315249902193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:36.577519894 CET3315249902193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:36.577629089 CET4990233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:39.598490000 CET4990233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:39.647177935 CET4991633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:39.724705935 CET3315249902193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:39.772231102 CET3315249916193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:39.772381067 CET4991633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:39.960097075 CET4991633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:40.079791069 CET3315249916193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:41.982325077 CET3315249916193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:41.985441923 CET4991633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:45.047614098 CET4991633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:45.048935890 CET4992933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:45.169524908 CET3315249916193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:45.170958996 CET3315249929193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:45.171041965 CET4992933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:45.208410025 CET4992933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:45.329502106 CET3315249929193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:47.413651943 CET3315249929193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:47.413877010 CET4992933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:50.456245899 CET4992933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:50.470392942 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:50.577608109 CET3315249929193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:50.589993000 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:50.593511105 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:50.852737904 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:50.972702980 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:50.972774982 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:51.092622995 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:51.092693090 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:51.217437029 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:51.217515945 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:51.344166040 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:52.786143064 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:52.786243916 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:56.206248999 CET4995333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:56.206259966 CET4994033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:56.332783937 CET3315249953193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:56.332824945 CET3315249940193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:56.333478928 CET4995333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:56.385385990 CET4995333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:01:56.607283115 CET3315249953193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:58.773209095 CET3315249953193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:01:58.773411036 CET4995333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:01.500602007 CET4995333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:01.504160881 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:01.644845009 CET3315249953193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:01.644889116 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:01.645215034 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:01.773494005 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:01.927239895 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:02.767220974 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:02.887109995 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:02.887157917 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:03.008790970 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:03.008857012 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:03.128547907 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:03.128609896 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:03.248270988 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:03.248328924 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:03.368107080 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:03.610661983 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:03.731745958 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:04.086576939 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:04.086720943 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:08.156769991 CET4996633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:08.159075022 CET4998133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:08.283191919 CET3315249966193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:08.459579945 CET3315249981193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:08.459676981 CET4998133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:08.527379990 CET4998133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:08.647099972 CET3315249981193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:10.807389975 CET3315249981193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:10.807471991 CET4998133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:13.625562906 CET4998133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:13.628334045 CET4999333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:13.796082973 CET3315249981193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:13.796106100 CET3315249993193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:13.799978018 CET4999333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:13.926516056 CET4999333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:14.046093941 CET3315249993193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:16.123604059 CET3315249993193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:16.123902082 CET4999333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:18.985049009 CET4999333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:18.987931013 CET5000433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:19.104815006 CET3315249993193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:19.107449055 CET3315250004193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:19.107522011 CET5000433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:19.147490025 CET5000433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:19.269813061 CET3315250004193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:19.269881010 CET5000433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:19.391911983 CET3315250004193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:21.352081060 CET3315250004193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:21.352161884 CET5000433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:24.235146999 CET5000433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:24.237607002 CET5001533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:24.354706049 CET3315250004193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:24.357326984 CET3315250015193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:24.357467890 CET5001533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:24.465492964 CET5001533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:24.643404961 CET3315250015193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:26.601911068 CET3315250015193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:26.602031946 CET5001533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:29.688163996 CET5001533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:29.689789057 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:29.818505049 CET3315250015193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:29.818536043 CET3315250026193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:29.818629026 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:29.932665110 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:30.052321911 CET3315250026193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:30.078922987 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:30.201303959 CET3315250026193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:30.204071045 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:30.323843002 CET3315250026193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:32.030174017 CET3315250026193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:32.033607006 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:34.953902960 CET5002633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:34.956784010 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:35.074821949 CET3315250026193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:35.077553034 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:35.077656984 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:35.119874954 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:35.246279001 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:35.246352911 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:35.372697115 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:35.372764111 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:35.497040987 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:35.497102976 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:35.616898060 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:37.290007114 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:37.290160894 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:40.438198090 CET5002733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:40.445549965 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:40.564450979 CET3315250027193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:40.572083950 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:40.573617935 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:40.672575951 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:40.792367935 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:40.792427063 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:40.913609982 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:40.913670063 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:41.033386946 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:41.033443928 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:41.153031111 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:42.868109941 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:42.868191957 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:46.065466881 CET5002833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:46.068265915 CET5002933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:46.185097933 CET3315250028193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:46.187803984 CET3315250029193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:46.188467979 CET5002933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:46.246493101 CET5002933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:46.368263960 CET3315250029193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:48.390034914 CET3315250029193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:48.390237093 CET5002933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:51.328849077 CET5002933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:51.331342936 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:51.473354101 CET3315250029193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:51.473391056 CET3315250030193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:51.473465919 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:51.509715080 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:51.661333084 CET3315250030193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:51.661432028 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:51.782529116 CET3315250030193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:52.563518047 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:52.683114052 CET3315250030193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:53.686988115 CET3315250030193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:53.687838078 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:56.643618107 CET5003033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:56.648034096 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:56.765019894 CET3315250030193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:56.769457102 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:56.773605108 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:56.968343973 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:57.088000059 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:57.088061094 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:57.208074093 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:57.208316088 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:57.328118086 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:57.375945091 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:57.502000093 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:57.502059937 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:57.624116898 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:57.624178886 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:02:57.743736029 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:58.999507904 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:02:58.999571085 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:02.578875065 CET5003133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:02.585643053 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:02.702831984 CET3315250031193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:02.708714008 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:02.708848000 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:02.829986095 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:02.952294111 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:02.952367067 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:03.078382969 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:03.078450918 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:03.316735983 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:03.316804886 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:03.436429977 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:04.962121010 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:04.962192059 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:08.047751904 CET5003233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:08.053644896 CET5003333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:08.167387009 CET3315250032193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:08.173242092 CET3315250033193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:08.173381090 CET5003333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:08.337641001 CET5003333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:08.464145899 CET3315250033193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:09.516854048 CET5003333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:09.636778116 CET3315250033193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:10.415786028 CET3315250033193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:10.421657085 CET5003333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:13.355668068 CET5003333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:13.359085083 CET5003433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:13.482037067 CET3315250033193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:13.485352039 CET3315250034193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:13.485431910 CET5003433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:13.527534008 CET5003433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:13.650546074 CET3315250034193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:13.650652885 CET5003433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:13.770186901 CET3315250034193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:15.712477922 CET3315250034193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:15.712702036 CET5003433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:18.641690969 CET5003433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:18.669342995 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:18.761812925 CET3315250034193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:18.788932085 CET3315250035193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:18.793678045 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:18.872490883 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:18.993046045 CET3315250035193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:18.993094921 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:19.114975929 CET3315250035193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:20.063421011 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:20.185802937 CET3315250035193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:21.000004053 CET3315250035193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:21.000072002 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:23.953895092 CET5003533152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:23.957716942 CET5003633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:24.080616951 CET3315250035193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:24.084177017 CET3315250036193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:24.084263086 CET5003633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:24.199932098 CET5003633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:24.395725965 CET3315250036193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:24.594705105 CET5003633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:24.716893911 CET3315250036193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:26.524924040 CET3315250036193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:26.525821924 CET5003633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.204215050 CET5003633152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.207675934 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.345948935 CET3315250036193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:29.345962048 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:29.346040964 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.384287119 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.509097099 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:29.509166002 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.631556034 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:29.631618977 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.751687050 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:29.751749992 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:29.874330997 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:31.560635090 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:31.560705900 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:34.688357115 CET5003733152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:34.691911936 CET5003833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:34.811491966 CET3315250037193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:34.816422939 CET3315250038193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:34.822870970 CET5003833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:34.890341997 CET5003833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:35.009902000 CET3315250038193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:35.009964943 CET5003833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:35.129529953 CET3315250038193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:37.031842947 CET3315250038193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:37.031949997 CET5003833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:39.969739914 CET5003833152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:39.973766088 CET5003933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:40.089329004 CET3315250038193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:40.093496084 CET3315250039193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:40.093880892 CET5003933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:40.201632023 CET5003933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:40.370523930 CET3315250039193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:42.366164923 CET3315250039193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:42.366952896 CET5003933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.328998089 CET5003933152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.331741095 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.452915907 CET3315250039193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:45.455849886 CET3315250040193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:45.455925941 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.495436907 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.615591049 CET3315250040193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:45.615643978 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.737986088 CET3315250040193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:45.738168001 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:45.864496946 CET3315250040193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:47.697666883 CET3315250040193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:47.697745085 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:50.596823931 CET5004133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:50.596837044 CET5004033152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:50.716510057 CET3315250041193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:50.716532946 CET3315250040193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:50.716669083 CET5004133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:50.800827980 CET5004133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:50.921355963 CET3315250041193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:52.953984022 CET3315250041193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:52.954051971 CET5004133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:55.891460896 CET5004133152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:55.895685911 CET5004233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:56.011454105 CET3315250041193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:56.015459061 CET3315250042193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:56.020874023 CET5004233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:56.076829910 CET5004233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:03:56.196764946 CET3315250042193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:58.259979010 CET3315250042193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:03:58.261905909 CET5004233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:01.110373020 CET5004233152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:01.113688946 CET5004333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:01.230602026 CET3315250042193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:01.234611988 CET3315250043193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:01.234694004 CET5004333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:01.279756069 CET5004333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:01.405982971 CET3315250043193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:01.406039000 CET5004333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:01.530016899 CET3315250043193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:03.448226929 CET3315250043193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:03.448297024 CET5004333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:06.328991890 CET5004333152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:06.330944061 CET5004433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:06.452939987 CET3315250043193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:06.455004930 CET3315250044193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:06.455163002 CET5004433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:06.558173895 CET5004433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:06.678330898 CET3315250044193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:07.891820908 CET5004433152192.168.2.5193.161.193.99
                                                                                                                          Nov 23, 2024 21:04:08.011630058 CET3315250044193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:08.690259933 CET3315250044193.161.193.99192.168.2.5
                                                                                                                          Nov 23, 2024 21:04:08.697870970 CET5004433152192.168.2.5193.161.193.99

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Nov 23, 2024 21:00:03.150702000 CET5302153192.168.2.51.1.1.1
                                                                                                                          Nov 23, 2024 21:00:03.289911985 CET53530211.1.1.1192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:06.989326000 CET4945353192.168.2.51.1.1.1
                                                                                                                          Nov 23, 2024 21:00:07.254636049 CET53494531.1.1.1192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:09.556058884 CET5377453192.168.2.51.1.1.1
                                                                                                                          Nov 23, 2024 21:00:09.702918053 CET53537741.1.1.1192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:13.519443035 CET6140353192.168.2.51.1.1.1
                                                                                                                          Nov 23, 2024 21:00:13.660063028 CET53614031.1.1.1192.168.2.5
                                                                                                                          Nov 23, 2024 21:00:15.660528898 CET5681953192.168.2.51.1.1.1
                                                                                                                          Nov 23, 2024 21:00:15.801084042 CET53568191.1.1.1192.168.2.5

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Nov 23, 2024 21:00:03.150702000 CET192.168.2.51.1.1.10x3c14Standard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:06.989326000 CET192.168.2.51.1.1.10xb8b1Standard query (0)Cactus-33152.portmap.hostA (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:09.556058884 CET192.168.2.51.1.1.10xdba1Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:13.519443035 CET192.168.2.51.1.1.10x902cStandard query (0)www.nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:15.660528898 CET192.168.2.51.1.1.10x3955Standard query (0)nodejs.orgA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Nov 23, 2024 21:00:03.289911985 CET1.1.1.1192.168.2.50x3c14No error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:03.289911985 CET1.1.1.1192.168.2.50x3c14No error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:07.254636049 CET1.1.1.1192.168.2.50xb8b1No error (0)Cactus-33152.portmap.host193.161.193.99A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:09.702918053 CET1.1.1.1192.168.2.50xdba1No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:09.702918053 CET1.1.1.1192.168.2.50xdba1No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:09.702918053 CET1.1.1.1192.168.2.50xdba1No error (0)edge-term4.roblox.comedge-term4-lhr2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:09.702918053 CET1.1.1.1192.168.2.50xdba1No error (0)edge-term4-lhr2.roblox.com128.116.119.3A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:13.660063028 CET1.1.1.1192.168.2.50x902cNo error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:13.660063028 CET1.1.1.1192.168.2.50x902cNo error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:15.801084042 CET1.1.1.1192.168.2.50x3955No error (0)nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                          Nov 23, 2024 21:00:15.801084042 CET1.1.1.1192.168.2.50x3955No error (0)nodejs.org104.20.22.46A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • getsolara.dev
                                                                                                                          • clientsettings.roblox.com
                                                                                                                          • www.nodejs.org

                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.549704172.67.203.1254432860C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-23 20:00:04 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                                          Host: getsolara.dev
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-11-23 20:00:05 UTC1021INHTTP/1.1 200 OK
                                                                                                                          Date: Sat, 23 Nov 2024 20:00:05 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Cache-Control: public, max-age=0, must-revalidate
                                                                                                                          ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHIq1dSxpQXGKiGM1s8%2FnIeocvLXYWmWsoSJ6o4WQjfLT4CdjckIULjcXqGHk8nE4%2FEgXibepvyoQaWtwgtkHqltnloCPuBBCugEKrGI%2FlySaUKFpmS5P%2F41OhPFCHaw"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                          Strict-Transport-Security: max-age=0
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8e73be4f889b8c7b-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2009&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2813&recv_bytes=695&delivery_rate=1447694&cwnd=191&unsent_bytes=0&cid=8bbd60d4abf029a2&ts=516&x=0"
                                                                                                                          2024-11-23 20:00:05 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                                          Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                                          2024-11-23 20:00:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.549707172.67.203.1254432860C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-23 20:00:08 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                                          Host: getsolara.dev
                                                                                                                          2024-11-23 20:00:09 UTC1019INHTTP/1.1 200 OK
                                                                                                                          Date: Sat, 23 Nov 2024 20:00:08 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Cache-Control: public, max-age=0, must-revalidate
                                                                                                                          ETag: W/"1fb39881d9a29ec7570ef2c2a61f7386"
                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                          x-content-type-options: nosniff
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hyTFDMahSD%2FgJi9bdD64HTva6SP7RzdJHpc44pasRWCEvPBa1nGkDWOB%2BwnKlowJl5IYJ4L46bjbKYp%2BTsK0PgOgBN4J8KPpzEqbL42cXAo2J66e30oP4QdOWBj3GTFJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                          Strict-Transport-Security: max-age=0
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8e73be679dca7cfa-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2408&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2812&recv_bytes=694&delivery_rate=1367041&cwnd=187&unsent_bytes=0&cid=26900a853fd49b23&ts=512&x=0"
                                                                                                                          2024-11-23 20:00:09 UTC350INData Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 38 61 61 33 36 62 62 66 30 65 62 31 34 39 34 61 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 39 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 66 64 66 33 62 36 38 63 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                                          Data Ascii: 21c{ "BootstrapperVersion": "1.23", "SupportedClient": "version-8aa36bbf0eb1494a", "SoftwareVersion": "3.129", "BootstrapperUrl": "https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                                          2024-11-23 20:00:09 UTC197INData Raw: 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 36 62 38 65 38 34 38 34 37 64 38 66 31 37 35 39 32 65 39 66 37 34 63 62 36 34 33 31 65 32 35 32 30 35 66 62 65 65 30 64 31 36 39 39 66 30 62 35 39 39 33 31 39 64 33 39 66 65 38 31 37 34 64 64 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 75 70 64 61 74 65 64 22 0a 7d 0d 0a
                                                                                                                          Data Ascii: tps://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"6b8e84847d8f17592e9f74cb6431e25205fbee0d1699f0b599319d39fe8174dd", "Changelog":"[+] updated"}
                                                                                                                          2024-11-23 20:00:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.549708128.116.119.34432860C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-23 20:00:11 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                                          Host: clientsettings.roblox.com
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-11-23 20:00:11 UTC576INHTTP/1.1 200 OK
                                                                                                                          content-length: 119
                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                          date: Sat, 23 Nov 2024 20:00:11 GMT
                                                                                                                          server: Kestrel
                                                                                                                          cache-control: no-cache
                                                                                                                          strict-transport-security: max-age=3600
                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                          roblox-machine-id: e9d3c98b-fed9-008b-41bf-c30ef003f879
                                                                                                                          x-roblox-region: us-central_rbx
                                                                                                                          x-roblox-edge: lhr2
                                                                                                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                                          connection: close
                                                                                                                          2024-11-23 20:00:11 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 32 2e 30 2e 36 35 32 30 37 36 34 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 38 61 61 33 36 62 62 66 30 65 62 31 34 39 34 61 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 35 32 30 37 36 34 22 7d
                                                                                                                          Data Ascii: {"version":"0.652.0.6520764","clientVersionUpload":"version-8aa36bbf0eb1494a","bootstrapperVersion":"1, 6, 0, 6520764"}


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.549710104.20.22.464432860C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-23 20:00:14 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                                          Host: www.nodejs.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-11-23 20:00:15 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                                          Date: Sat, 23 Nov 2024 20:00:15 GMT
                                                                                                                          Content-Type: text/plain
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: public, max-age=0, must-revalidate
                                                                                                                          location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                          x-vercel-id: iad1::lt48g-1732392015489-4dfa4fa0faf8
                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8e73be8f1c6ac34e-EWR
                                                                                                                          2024-11-23 20:00:15 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                                          Data Ascii: fRedirecting...
                                                                                                                          2024-11-23 20:00:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:15:00:00
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\Desktop\kwlYObMOSn.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\Desktop\kwlYObMOSn.exe"
                                                                                                                          Imagebase:0xd00000
                                                                                                                          File size:897'536 bytes
                                                                                                                          MD5 hash:F28A1FB54A5C3B2B4E4184E3DFF4F50A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:15:00:00
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"
                                                                                                                          Imagebase:0x1e6ebaa0000
                                                                                                                          File size:819'200 bytes
                                                                                                                          MD5 hash:02C70D9D6696950C198DB93B7F6A835E
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 63%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:15:00:01
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:15:00:01
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\XClient.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\XClient.exe"
                                                                                                                          Imagebase:0xf20000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Avira
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:15:00:01
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"cmd" /c ipconfig /all
                                                                                                                          Imagebase:0x7ff792b20000
                                                                                                                          File size:289'792 bytes
                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:15:00:01
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:7
                                                                                                                          Start time:15:00:01
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\ipconfig.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:ipconfig /all
                                                                                                                          Imagebase:0x7ff7b4650000
                                                                                                                          File size:35'840 bytes
                                                                                                                          MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:15:00:05
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"
                                                                                                                          Imagebase:0x7ff70fbd0000
                                                                                                                          File size:235'008 bytes
                                                                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:15:00:05
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:15:00:07
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Imagebase:0x850000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Teams.exe, Author: Joe Security
                                                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Teams.exe, Author: ditekSHen
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Avira
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:15:00:13
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Teams.exe"
                                                                                                                          Imagebase:0xb90000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:14
                                                                                                                          Start time:15:00:14
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196
                                                                                                                          Imagebase:0x7ff721450000
                                                                                                                          File size:570'736 bytes
                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:15:00:21
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Teams.exe"
                                                                                                                          Imagebase:0x830000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:15:01:01
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Imagebase:0xd10000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:15:02:00
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Imagebase:0xa70000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:15:03:00
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Imagebase:0x5f0000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:22
                                                                                                                          Start time:15:04:00
                                                                                                                          Start date:23/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Teams.exe
                                                                                                                          Imagebase:0x50000
                                                                                                                          File size:68'096 bytes
                                                                                                                          MD5 hash:E82A4E80B783AB902E649D21DCD0F3D5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F210ED Relevance: .4, Instructions: 431COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 532c33bb275f6d6c71e26f2806ad81a9bbac9bf1c8f289e2aaf8811bd9badede
                                                                                                                            • Instruction ID: b937ffa4ffb6b8d1fe11efa6c360b206abea6d8f58df35793f13687812b5a5e1
                                                                                                                            • Opcode Fuzzy Hash: 532c33bb275f6d6c71e26f2806ad81a9bbac9bf1c8f289e2aaf8811bd9badede
                                                                                                                            • Instruction Fuzzy Hash: CC31B231E1DA895FE785E7A858692B87BE1EF6A341F0800BBD04DC71D7DE25AC45C306
                                                                                                                            Function 00007FF848F209F7 Relevance: .2, Instructions: 219COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fa1c3d3a11b6b2e249664d8db58c2e23d72b0e0d7be41e9a2f02ad806a64a269
                                                                                                                            • Instruction ID: 1a9423d4b5f6b6296c823d31bc4278e4f66625dca226a30b28b5d3e112c95f2e
                                                                                                                            • Opcode Fuzzy Hash: fa1c3d3a11b6b2e249664d8db58c2e23d72b0e0d7be41e9a2f02ad806a64a269
                                                                                                                            • Instruction Fuzzy Hash: C0717F31A1991C8FEB98FB68D458BADB7E2FF98355F144178E41AD32D1CF39A8418B04
                                                                                                                            Function 00007FF848F20D80 Relevance: .1, Instructions: 111COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e8c664d6572cc85d71c828cb10d50008c958e653f91d657e27977ecb1cf614f4
                                                                                                                            • Instruction ID: 078a3bb5e9ea49c218655ce613a09c743c85df8e64673ec4a4b0dfa8ac3ed2b7
                                                                                                                            • Opcode Fuzzy Hash: e8c664d6572cc85d71c828cb10d50008c958e653f91d657e27977ecb1cf614f4
                                                                                                                            • Instruction Fuzzy Hash: 8B31676284E3C25FC30367706C664A17FB09E87260B0A44EBD8C4CF5E3D61C6A9AC362
                                                                                                                            Function 00007FF848F20498 Relevance: .1, Instructions: 91COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1056bfb1c5bd3876bb20adee26df628a866661c96f7a80ece93c5b1720e20f60
                                                                                                                            • Instruction ID: 028d8bd5e08145d50a412087d80eac9407e9e11522b4906d118a08b3717d7992
                                                                                                                            • Opcode Fuzzy Hash: 1056bfb1c5bd3876bb20adee26df628a866661c96f7a80ece93c5b1720e20f60
                                                                                                                            • Instruction Fuzzy Hash: B0219231F1994D5FEB84FB6898996B977E2EFA8741B14007AD40EC3297DE24AC518704
                                                                                                                            Function 00007FF848F20E71 Relevance: .1, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fa12ef4b73d525fdb94b828821a7b716394f48c3fbc64b4a5f32db84bbd864ff
                                                                                                                            • Instruction ID: 6a53f22d367a89bc33602f2be3f560b34ffd05e65aafbef956869c1c38b9127a
                                                                                                                            • Opcode Fuzzy Hash: fa12ef4b73d525fdb94b828821a7b716394f48c3fbc64b4a5f32db84bbd864ff
                                                                                                                            • Instruction Fuzzy Hash: 84014931A1EA894FD744FB3CD851AA873D1EF89354F040479C449C33C6EF28E8418786
                                                                                                                            Function 00007FF848F204A8 Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3fdbca2753fa02df9da1dbce673585cfa6c2294cc31398462b2652433d5fcef7
                                                                                                                            • Instruction ID: eba230cd62a50e6a0e22f7e408a231824c5e4f0ec28d7cedfbec559df0e22ecc
                                                                                                                            • Opcode Fuzzy Hash: 3fdbca2753fa02df9da1dbce673585cfa6c2294cc31398462b2652433d5fcef7
                                                                                                                            • Instruction Fuzzy Hash: D7F02830A2E9595FD754FB3CE841AB973D1EF89754F100939D40DC3386DE2DA8828785
                                                                                                                            Function 00007FF848F204B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e51973860936c18f40014e9730a59b6fc8676da704f4745af65e6273813670fc
                                                                                                                            • Instruction ID: 9e6e4ba481b9c40cd331accac79c4dd9277ad4cae56f5bc78531dd4b7cf8fa91
                                                                                                                            • Opcode Fuzzy Hash: e51973860936c18f40014e9730a59b6fc8676da704f4745af65e6273813670fc
                                                                                                                            • Instruction Fuzzy Hash: ACF02230B2D9195FD654FB2CE844A7E73E1EBC9750F500839D40EC3385EF68A8828B86
                                                                                                                            Function 00007FF848F20F3F Relevance: .0, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2053840196.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_kwlYObMOSn.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4dcf0c183af32999fd8c6d1bbaf7ee16a220b2af35d7f283e8d0427148c698c1
                                                                                                                            • Instruction ID: 289d088cd53bf7b75bd9d9fde22db12fd4fd0b2375e249b80f1e94e7fa4f33a0
                                                                                                                            • Opcode Fuzzy Hash: 4dcf0c183af32999fd8c6d1bbaf7ee16a220b2af35d7f283e8d0427148c698c1
                                                                                                                            • Instruction Fuzzy Hash: 82E08612F1DD0A4BF6887A6C78552B4A3C6DBC8654F414035E00DC22C6EE095C924245

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F46DB0 Relevance: 8.5, Strings: 6, Instructions: 1043COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-381444693
                                                                                                                            • Opcode ID: 6b50842f28c1cebc4e3a83fffef4f9fdf9929f811645903468aa1f4e72f01861
                                                                                                                            • Instruction ID: 0c4bacf5465200cb3586512a96b7d02b7e7afe787a60d63e519845055818d405
                                                                                                                            • Opcode Fuzzy Hash: 6b50842f28c1cebc4e3a83fffef4f9fdf9929f811645903468aa1f4e72f01861
                                                                                                                            • Instruction Fuzzy Hash: 54728E30A1CA498FEB98EF18D855AA977E2FF68784F050179E44DD72D2CF28EC418B45
                                                                                                                            Function 00007FF848F52540 Relevance: 5.6, Strings: 4, Instructions: 617COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$@WH$HAH$HAH
                                                                                                                            • API String ID: 0-3201402033
                                                                                                                            • Opcode ID: 30aed73a2ccd61783d12e37ca615233eab5bcab28924cb6f4ff51e8cafefb5ba
                                                                                                                            • Instruction ID: 65b7fadf56c2285d0d8197df7a291d1cb74367fc61f69eb7ed1f1a4bd0328997
                                                                                                                            • Opcode Fuzzy Hash: 30aed73a2ccd61783d12e37ca615233eab5bcab28924cb6f4ff51e8cafefb5ba
                                                                                                                            • Instruction Fuzzy Hash: 8C22A231A1CB858FD359EB2884446A6BBE1FFA5340F0486BED48AC7297DF34E845C791
                                                                                                                            Function 00007FF848F56F9D Relevance: 11.8, Strings: 9, Instructions: 581COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$@WH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3547980109
                                                                                                                            • Opcode ID: 3b37919d018ca3857161954af028700f9de09c79435750f9f08ddd5888cd6e57
                                                                                                                            • Instruction ID: f79a3583c18343872484d1acbb8bea21f3593a4be719483afd25946101884ef6
                                                                                                                            • Opcode Fuzzy Hash: 3b37919d018ca3857161954af028700f9de09c79435750f9f08ddd5888cd6e57
                                                                                                                            • Instruction Fuzzy Hash: 55F1F131B1CE494FEB98A72C98552B977E1EF99790F0501BAD40DC32D3DF28AC428789
                                                                                                                            Function 00007FF848F56FBE Relevance: 11.8, Strings: 9, Instructions: 504COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$@WH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3547980109
                                                                                                                            • Opcode ID: 30510cd4112b2ba6d9b92afdbc4239b10051a59ada9853a61928264b0dd82c52
                                                                                                                            • Instruction ID: 860e8fe5eeea353ab4e061e1a1d178204bac9a7451d77c2ce632b01451ffca2a
                                                                                                                            • Opcode Fuzzy Hash: 30510cd4112b2ba6d9b92afdbc4239b10051a59ada9853a61928264b0dd82c52
                                                                                                                            • Instruction Fuzzy Hash: 50E1E231B1CE494FEB98B72C98552B977E1EF99690F0501BAD44DC32D3DF28AC428789
                                                                                                                            Function 00007FF848F46CD0 Relevance: 9.3, Strings: 7, Instructions: 599COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: bd6b7e3cb2ea9a132e49922ed1636fa742c92a1b60850c886867aa29be0ec237
                                                                                                                            • Instruction ID: 8d8e8dcbf4fe6f429294ac2274a4542aba4c283dcfef8109785bbc7f066539cf
                                                                                                                            • Opcode Fuzzy Hash: bd6b7e3cb2ea9a132e49922ed1636fa742c92a1b60850c886867aa29be0ec237
                                                                                                                            • Instruction Fuzzy Hash: 3C02CE30A1CA494FEB98FB2898556B977E1EFA9790F05017AE44DD32D3DF28A8018785
                                                                                                                            Function 00007FF848F56EAC Relevance: 9.2, Strings: 7, Instructions: 428COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 6a33df703e5a038ce7e85cf56ffdbf5966dfca91ce371ddc354e61c7751b5213
                                                                                                                            • Instruction ID: 70bbd8ee81cc8b2ab80c6bf8f038b5ad37bad84be2759e415f92b9c7dcc156bc
                                                                                                                            • Opcode Fuzzy Hash: 6a33df703e5a038ce7e85cf56ffdbf5966dfca91ce371ddc354e61c7751b5213
                                                                                                                            • Instruction Fuzzy Hash: E0C1C130B1CE494FEB98EB2C985567977E2EFA9790B0501BAD44DC72E3DF28AC018745
                                                                                                                            Function 00007FF848F56ECD Relevance: 9.2, Strings: 7, Instructions: 420COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 97d2cb98ac299bec96c8cd16dd855961d5e31ec0cb3404e36bbe1b9d8f840b6a
                                                                                                                            • Instruction ID: 9bac554781ebca74cd6cbc76ca740305f1705817df9ca5e20ee2d09e3d1ce980
                                                                                                                            • Opcode Fuzzy Hash: 97d2cb98ac299bec96c8cd16dd855961d5e31ec0cb3404e36bbe1b9d8f840b6a
                                                                                                                            • Instruction Fuzzy Hash: 4AC1B230B1CE494FEB98EB2C985527977E2EF99690B0501BAD44DC73E7DF28AC028745
                                                                                                                            Function 00007FF848F56DE1 Relevance: 9.2, Strings: 7, Instructions: 416COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 6ebf245daf2581a64685652056debc3261e56431311b5d79555ff9e328524bea
                                                                                                                            • Instruction ID: 6129cac423d41c8982d222ebbfebbeee2bad20272ef960602ee91c940ee04bb2
                                                                                                                            • Opcode Fuzzy Hash: 6ebf245daf2581a64685652056debc3261e56431311b5d79555ff9e328524bea
                                                                                                                            • Instruction Fuzzy Hash: 79C1C130B1CE494FEB98EB2C98552B977E2EF99690B0501BAD44DD33D7DF28AC028745
                                                                                                                            Function 00007FF848F56E07 Relevance: 9.1, Strings: 7, Instructions: 369COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 5d70211e8fa4ea6ffd5d4f154a149b32cad335b24b14f45f1038e9f4bd54785d
                                                                                                                            • Instruction ID: f9ece968ee682b6dc2cb1fb6a3e32d9a95ef42d9475312845ac229dab5b05a6a
                                                                                                                            • Opcode Fuzzy Hash: 5d70211e8fa4ea6ffd5d4f154a149b32cad335b24b14f45f1038e9f4bd54785d
                                                                                                                            • Instruction Fuzzy Hash: 9CA1E231B1CE494FEB98B73C98562B977E2EF99690B0501BAD44DC32D3DF28AC028745
                                                                                                                            Function 00007FF848F571F5 Relevance: 9.1, Strings: 7, Instructions: 357COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: b7837427ebf6d628c6075912473f5788cec07b202f29b0fb1711cda918cbf57a
                                                                                                                            • Instruction ID: 2b70749ec2ef52c181705393e6a34a6cfb1e16fcbb815b17fc6b00e5687f8862
                                                                                                                            • Opcode Fuzzy Hash: b7837427ebf6d628c6075912473f5788cec07b202f29b0fb1711cda918cbf57a
                                                                                                                            • Instruction Fuzzy Hash: 3AA1F231B1CE494FEB98A73C98562B937E2EF99690B0501BAD44DC32D7DF28AC028745
                                                                                                                            Function 00007FF848F5723E Relevance: 9.1, Strings: 7, Instructions: 356COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 09fd9d05e66475f0b8c60c327f35c653bb7648700722f5f2fd361e9989cac4b1
                                                                                                                            • Instruction ID: f9ff69d91837b97faf37f3a78d1f7fd87ba49dae6c835e8730c677e5d2bde7dd
                                                                                                                            • Opcode Fuzzy Hash: 09fd9d05e66475f0b8c60c327f35c653bb7648700722f5f2fd361e9989cac4b1
                                                                                                                            • Instruction Fuzzy Hash: 98A1F331B1CE494FEB99E73C98562B937E2EF99690B0501BAD44DC32D3DF28AC028745
                                                                                                                            Function 00007FF848F57216 Relevance: 9.1, Strings: 7, Instructions: 349COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 22a86f1c6ba24a83f147f409ef5bb5836e7986da881aec4421aa71ed9fa294f1
                                                                                                                            • Instruction ID: fda836fe331d421844b0f91667fefff28f273a587b63fc11d043bc4c3c0bbede
                                                                                                                            • Opcode Fuzzy Hash: 22a86f1c6ba24a83f147f409ef5bb5836e7986da881aec4421aa71ed9fa294f1
                                                                                                                            • Instruction Fuzzy Hash: 8B910331B1CE494FEB98A73C98562B937E2EF99690B0501BAD44DC33D7DF28AC028745
                                                                                                                            Function 00007FF848F5725F Relevance: 9.1, Strings: 7, Instructions: 348COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3722465034
                                                                                                                            • Opcode ID: 547ff3bd965015b2155d576464efab9162295a198c9fa38e850b66ef2327225e
                                                                                                                            • Instruction ID: 8a55de543b1eec031eaff6fcf00702c7049d22f8fdefce96d0aab44902118ca1
                                                                                                                            • Opcode Fuzzy Hash: 547ff3bd965015b2155d576464efab9162295a198c9fa38e850b66ef2327225e
                                                                                                                            • Instruction Fuzzy Hash: F991F331B1CE494FEB99A73C98562B937E2EF99690B0501BAD44DC33D7DF28AC028745
                                                                                                                            Function 00007FF848F579D0 Relevance: 8.3, Strings: 6, Instructions: 804COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$\
                                                                                                                            • API String ID: 0-2962837600
                                                                                                                            • Opcode ID: 22b7a549ab035ef30469888e01259f93ef058571a7c8622ae7ffadea9688d157
                                                                                                                            • Instruction ID: a9967699ef50c7651c66494592b35937c089d50d560c3ae0d65fb366db67732d
                                                                                                                            • Opcode Fuzzy Hash: 22b7a549ab035ef30469888e01259f93ef058571a7c8622ae7ffadea9688d157
                                                                                                                            • Instruction Fuzzy Hash: E5423430A2CA454FE359EB289495676B7E1EF99380F14447EC48FC32D3DF28B8468799
                                                                                                                            Function 00007FF848F459E8 Relevance: 8.1, Strings: 6, Instructions: 583COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-381444693
                                                                                                                            • Opcode ID: ab31f53c9521370ff9e1fe7f1fb5f64614803cca39f635de499c89091f95841f
                                                                                                                            • Instruction ID: 8c9a1186f12e4d82018808fdf5401ffb8eee6ef17dd4c5c2c77b82fdfee2c3ca
                                                                                                                            • Opcode Fuzzy Hash: ab31f53c9521370ff9e1fe7f1fb5f64614803cca39f635de499c89091f95841f
                                                                                                                            • Instruction Fuzzy Hash: 77F1C331B1CE4A4FE698FB2CA45567477D2EFA8790F4401BAD40EC72D7EE18AC428785
                                                                                                                            Function 00007FF848F4FA56 Relevance: 6.8, Strings: 5, Instructions: 562COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$@WH$@WH$@WH$@WH
                                                                                                                            • API String ID: 0-2868849170
                                                                                                                            • Opcode ID: bd835e43d98401a5674ebc97569966b57efa4d4474b558c15b2c6e0f6dcd63da
                                                                                                                            • Instruction ID: 6c3fc529960824ec7d27d4c8061754605b41525c94c76c386a044b955448fd79
                                                                                                                            • Opcode Fuzzy Hash: bd835e43d98401a5674ebc97569966b57efa4d4474b558c15b2c6e0f6dcd63da
                                                                                                                            • Instruction Fuzzy Hash: F102A830A1CB898FE798EB28C455676B7E1FFA9740F04457EE48DC7292DF34A8418B46
                                                                                                                            Function 00007FF848F45968 Relevance: 6.8, Strings: 5, Instructions: 555COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$@WH$@WH$@WH$@WH
                                                                                                                            • API String ID: 0-2868849170
                                                                                                                            • Opcode ID: 9ac59652dbfd9a7f66491e8cfa41b65131ebff50bc08fc26ade880691449a38f
                                                                                                                            • Instruction ID: 4d02e45ed5f6fa4118713926bf96494ce37d82e80a65e110865763690d1a075f
                                                                                                                            • Opcode Fuzzy Hash: 9ac59652dbfd9a7f66491e8cfa41b65131ebff50bc08fc26ade880691449a38f
                                                                                                                            • Instruction Fuzzy Hash: DE029630A1CB498FE798EB28C455676B7E2FFA8740F00457EE48DC3296DF34A8418B46
                                                                                                                            Function 00007FF848F4595D Relevance: 6.5, Strings: 5, Instructions: 283COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$@WH$@WH$@WH$@WH
                                                                                                                            • API String ID: 0-2868849170
                                                                                                                            • Opcode ID: d954a95a5543d71954f1b824317b39814779c70f659cef02f30aad93a857c3b3
                                                                                                                            • Instruction ID: dbdbdf7d0b9e8f36e7ef34dfda6a7c49afa30e34d0c10d98417db4b26a3f5dfc
                                                                                                                            • Opcode Fuzzy Hash: d954a95a5543d71954f1b824317b39814779c70f659cef02f30aad93a857c3b3
                                                                                                                            • Instruction Fuzzy Hash: 9691C23291CE8A9FE394F72894457B6B7E1FBA4790F04457AD44EC75C2DF28B8828781
                                                                                                                            Function 00007FF848F45918 Relevance: 4.2, Strings: 3, Instructions: 487COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$\Q_H$wH
                                                                                                                            • API String ID: 0-938152505
                                                                                                                            • Opcode ID: e0294b68e00f5b609684f6e16652a273ba4533ae6b6a06d1030d2fc0700d47ba
                                                                                                                            • Instruction ID: 6c7ba341afd24c1d45647f9c779419374ec23c60a746d2061699f48f26522dd5
                                                                                                                            • Opcode Fuzzy Hash: e0294b68e00f5b609684f6e16652a273ba4533ae6b6a06d1030d2fc0700d47ba
                                                                                                                            • Instruction Fuzzy Hash: 33D14771E1ED9A4FF395A72C6859275BBE1EFA9680F1900BAC04CC72E7DE1C9C068351
                                                                                                                            Function 00007FF848F4454D Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH
                                                                                                                            • API String ID: 0-2719557456
                                                                                                                            • Opcode ID: eaed73516fc4977c1ea328d3a514e1951a594ec7a96a138d9f5b816a4871eb12
                                                                                                                            • Instruction ID: 97e54fd0c0fde54fa8945fb027e128a260d5729b8b41e7121c800e552a952b5c
                                                                                                                            • Opcode Fuzzy Hash: eaed73516fc4977c1ea328d3a514e1951a594ec7a96a138d9f5b816a4871eb12
                                                                                                                            • Instruction Fuzzy Hash: 70C15832E0DA594FE715BB6CB8801F9B790EF957A4F0402B7C048DB1D3EB28A84683D4
                                                                                                                            Function 00007FF848F448E0 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ?J_H$HAH$HAH
                                                                                                                            • API String ID: 0-181473210
                                                                                                                            • Opcode ID: 3346c8b59e66c48ea74745aa258aa637fa81e270db210a667a94f0005dea4419
                                                                                                                            • Instruction ID: 163f98e5ccdab1bc9c66a236cdcc050384b9604ae03ca2980db77285b8971b3a
                                                                                                                            • Opcode Fuzzy Hash: 3346c8b59e66c48ea74745aa258aa637fa81e270db210a667a94f0005dea4419
                                                                                                                            • Instruction Fuzzy Hash: F2B1F230E0CB4A4FF768BB2898542B5B7A1EF56390F0541BBD45AC71C7EF2C68468369
                                                                                                                            Function 00007FF848F4CA60 Relevance: 4.1, Strings: 3, Instructions: 318COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH
                                                                                                                            • API String ID: 0-2719557456
                                                                                                                            • Opcode ID: f8ec99c52fa6807b56c27c4eff63ccdd92f69735f64591284ca713df6668eaa3
                                                                                                                            • Instruction ID: b85ea4a231569d46b4c4791b0d16bfe72cd8e7dda7ded7be62f9a9157f3c185d
                                                                                                                            • Opcode Fuzzy Hash: f8ec99c52fa6807b56c27c4eff63ccdd92f69735f64591284ca713df6668eaa3
                                                                                                                            • Instruction Fuzzy Hash: 8E811731B1DD190FE6A4F71CA8597B963D1EBA87A0F0502BBD40DD32D6EF299C428385
                                                                                                                            Function 00007FF848F5D668 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$dJ_H
                                                                                                                            • API String ID: 0-2735768255
                                                                                                                            • Opcode ID: cd64b71e19a6f799c4821a1d09ff6526de704299ecc75332485649563651b268
                                                                                                                            • Instruction ID: 4aeaae9172dfae5927da000a7401c6e1648e981f408c9bb2f94fe12dd11b447b
                                                                                                                            • Opcode Fuzzy Hash: cd64b71e19a6f799c4821a1d09ff6526de704299ecc75332485649563651b268
                                                                                                                            • Instruction Fuzzy Hash: 9E510732B0EE4E4FE6A5F76C681817577D1EBA9AA1B0402BBC00DC72D7DE149C468385
                                                                                                                            Function 00007FF848F46C90 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #R_H$HAH$HAH
                                                                                                                            • API String ID: 0-3385523275
                                                                                                                            • Opcode ID: 32201c9f1fd6f053f8c435ad0efdeb498a922d047ed7d22664f5d1eeee709f7b
                                                                                                                            • Instruction ID: 6fb8036fd308aacd220b3d9ce5d69a64a3262e893ff04e909e26550e96924b46
                                                                                                                            • Opcode Fuzzy Hash: 32201c9f1fd6f053f8c435ad0efdeb498a922d047ed7d22664f5d1eeee709f7b
                                                                                                                            • Instruction Fuzzy Hash: DE71EC30A18D4E8FDF94EF5CC495AA977E1FF78781F45017AE40AE32A1CB24E8458B84
                                                                                                                            Function 00007FF848F4A7DA Relevance: 3.1, Strings: 2, Instructions: 560COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: vV_H$yV_H
                                                                                                                            • API String ID: 0-3473733894
                                                                                                                            • Opcode ID: b9acee780997004e3a6d83905b2716684a94f57cca1f114e4ab857bb3928fb4e
                                                                                                                            • Instruction ID: 0ee27360bd6e014138815784591030ab69a71549229e952789b471f5a801e068
                                                                                                                            • Opcode Fuzzy Hash: b9acee780997004e3a6d83905b2716684a94f57cca1f114e4ab857bb3928fb4e
                                                                                                                            • Instruction Fuzzy Hash: F6120C71E199198FEBA4EB1898997A873F1FB68750F1002F6D00DE3292DF346DC28B55
                                                                                                                            Function 00007FF848F4CF5D Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: rK_^$tK_^
                                                                                                                            • API String ID: 0-2995859673
                                                                                                                            • Opcode ID: e4bbd06cc03bf24c0765a51c2758b6685cd966f0da08bb2031fae8ffe425bfa2
                                                                                                                            • Instruction ID: f92d7280db2fe77264f402e3949ffa9e1a81c96c30ed45c0e0c4f1ce8aeaf51f
                                                                                                                            • Opcode Fuzzy Hash: e4bbd06cc03bf24c0765a51c2758b6685cd966f0da08bb2031fae8ffe425bfa2
                                                                                                                            • Instruction Fuzzy Hash: 81E1C723D0E5D66FE752B72C64A51E53F60EF626A8F0C02F7D4C89E0D7DE0C68468269
                                                                                                                            Function 00007FF848F47D48 Relevance: 2.9, Strings: 2, Instructions: 388COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH
                                                                                                                            • API String ID: 0-524784639
                                                                                                                            • Opcode ID: b9dd2b12cede04e789d3cf0e0d8b5256579ba490a3cdeb4621b359ab8e60c40f
                                                                                                                            • Instruction ID: 8654202e2f84411e67c26c5fdaf5f7db583447d39a6ad276d4a1110a70f5e472
                                                                                                                            • Opcode Fuzzy Hash: b9dd2b12cede04e789d3cf0e0d8b5256579ba490a3cdeb4621b359ab8e60c40f
                                                                                                                            • Instruction Fuzzy Hash: 90A14B32E0DE4A8FE7A9AB2C94592B5B7E1EF69395F0401BAC04DC31D7DE19AC468344
                                                                                                                            Function 00007FF848F46FE0 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH$HAH
                                                                                                                            • API String ID: 0-2791377038
                                                                                                                            • Opcode ID: 44aa1524bb8044e6c4a72d09f70ddfa548cdb2bcbeec08d97ab0cc56027b6314
                                                                                                                            • Instruction ID: b75cc6c95f2fe8e8c8e67b1943e573c160922620be4d31485b24a13acc8dc3f9
                                                                                                                            • Opcode Fuzzy Hash: 44aa1524bb8044e6c4a72d09f70ddfa548cdb2bcbeec08d97ab0cc56027b6314
                                                                                                                            • Instruction Fuzzy Hash: 68915B3194FBC94FE7479B2858645617FB0EF63240B1940EBC489CB1E7DB1D9849C726
                                                                                                                            Function 00007FF848F59008 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH
                                                                                                                            • API String ID: 0-524784639
                                                                                                                            • Opcode ID: 1327c33ae4d1406973257eb9552fdf328a1dea8b489c90ebdcbcfdccd71c4e7d
                                                                                                                            • Instruction ID: 26983ec8cbf55f04f7f121ebb66721ce484962404c67a10362107d73a80dca2c
                                                                                                                            • Opcode Fuzzy Hash: 1327c33ae4d1406973257eb9552fdf328a1dea8b489c90ebdcbcfdccd71c4e7d
                                                                                                                            • Instruction Fuzzy Hash: DD61E731A0DAC54FE35AA73C6815275ABE1EF56690F0804FFC089C76D3DA299C4A8342
                                                                                                                            Function 00007FF848F47C50 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$_
                                                                                                                            • API String ID: 0-2467211666
                                                                                                                            • Opcode ID: d88dacbce6491731b87186bd8bbee7c53d705281bf2278a3685972d88da4943e
                                                                                                                            • Instruction ID: 3e0234e4d3c44461fddb88b016907891506aa73be1afacbe222c6d47d2d042f1
                                                                                                                            • Opcode Fuzzy Hash: d88dacbce6491731b87186bd8bbee7c53d705281bf2278a3685972d88da4943e
                                                                                                                            • Instruction Fuzzy Hash: 83312B32D1E5554FD355A76CA8552EA3BE0EF526B4F0802F7D48CCB1D3DA0C68868354
                                                                                                                            Function 00007FF848F5F549 Relevance: 2.2, Strings: 1, Instructions: 926COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ,J_L
                                                                                                                            • API String ID: 0-4108618668
                                                                                                                            • Opcode ID: 0246ad14c3bf2cf7318e21e9408ddd3fcf6206c862b53244fb14df58ac0bd996
                                                                                                                            • Instruction ID: 4649f878a58c045d6af64b4c20b469b2e848d98b7774fc92011cdd72be4c788a
                                                                                                                            • Opcode Fuzzy Hash: 0246ad14c3bf2cf7318e21e9408ddd3fcf6206c862b53244fb14df58ac0bd996
                                                                                                                            • Instruction Fuzzy Hash: CFE15831A0DA8A4FE749EB2C58551B57BE1EF96394F0801FAD48DC72C3DF18A8478356
                                                                                                                            Function 00007FF848F47404 Relevance: 1.8, Strings: 1, Instructions: 578COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: 05f3bdde52e7b598243c7816e8b47f87ecae10bb1103f19dd8a1b90981c3953c
                                                                                                                            • Instruction ID: 04e1dedd56b3c087afcdb3ff7e38b9a50f5f5af0fc999626d308d5ca0ce1379f
                                                                                                                            • Opcode Fuzzy Hash: 05f3bdde52e7b598243c7816e8b47f87ecae10bb1103f19dd8a1b90981c3953c
                                                                                                                            • Instruction Fuzzy Hash: F402E330A0DE498FE799EB28D4946B57BE1FFA5700F14427ED48ED7292DF24A842C781
                                                                                                                            Function 00007FF848F555A9 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: aab9a5c1046d4ea7db0267530dba4aeedb1864cabc7b0526dcca136366d5b09a
                                                                                                                            • Instruction ID: 12831e1072434392b38e8d68098de4d93614d8d97fa18d339a13118aada24bf6
                                                                                                                            • Opcode Fuzzy Hash: aab9a5c1046d4ea7db0267530dba4aeedb1864cabc7b0526dcca136366d5b09a
                                                                                                                            • Instruction Fuzzy Hash: 38D12530A0DA464FF769B72894912B9B7D1EF99790F21417AC08FD71C3DE2D78824389
                                                                                                                            Function 00007FF848F4D35F Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH
                                                                                                                            • API String ID: 0-1574652160
                                                                                                                            • Opcode ID: 7e2dab704100b59fa3f562bfdb81a4ab53ac4ac0163d94b953b76bc061cb5a5e
                                                                                                                            • Instruction ID: a665ae72c7ecb58eaed883b942cb3ccb8dbe648216cd0d44e6c4d06d51e160a8
                                                                                                                            • Opcode Fuzzy Hash: 7e2dab704100b59fa3f562bfdb81a4ab53ac4ac0163d94b953b76bc061cb5a5e
                                                                                                                            • Instruction Fuzzy Hash: 21D1B031A1D94A5FEB98FB288454BB537E1EF68B40F0441BAD80DC72D7DE28AC458794
                                                                                                                            Function 00007FF848F4B09A Relevance: 1.7, Strings: 1, Instructions: 419COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: d
                                                                                                                            • API String ID: 0-2564639436
                                                                                                                            • Opcode ID: 7e474da084483618abd390ad609d1d432ec003b91d0b98f3340f50e042b51c00
                                                                                                                            • Instruction ID: 6c357da793e7fdb70dbded5901e3b1ffee220e0de5000bd2d0565a7ade549abd
                                                                                                                            • Opcode Fuzzy Hash: 7e474da084483618abd390ad609d1d432ec003b91d0b98f3340f50e042b51c00
                                                                                                                            • Instruction Fuzzy Hash: 81C12130A2CB864FE369EB188841635B7E1FFA5780F1445BED04AC7297DB39F8428785
                                                                                                                            Function 00007FF848F409FF Relevance: 1.7, Strings: 1, Instructions: 418COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #CL_^
                                                                                                                            • API String ID: 0-2282437773
                                                                                                                            • Opcode ID: 602f5198eba0d712d444b5e191f17f95e8a7f768a8028bbe343b8477b16524a1
                                                                                                                            • Instruction ID: af8ed9448a1b1ce00d21ebb06fa0e741305fd20d65c589d3a9909231c0b39ed3
                                                                                                                            • Opcode Fuzzy Hash: 602f5198eba0d712d444b5e191f17f95e8a7f768a8028bbe343b8477b16524a1
                                                                                                                            • Instruction Fuzzy Hash: 1DE15D30A1D6499FE799FB28D4506B977B1EF95380F1400BAD40ED72E3CF2A6885CB15
                                                                                                                            Function 00007FF848F4C0E0 Relevance: 1.7, Strings: 1, Instructions: 418COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: 4e6c648118a4f857ae45d1b1af2a330aa0c722dbaee549e0ad91440f7dc3c633
                                                                                                                            • Instruction ID: fd405cda69873b489a945ba66941761e5a54c5f89008a86882c52a12ed345bd7
                                                                                                                            • Opcode Fuzzy Hash: 4e6c648118a4f857ae45d1b1af2a330aa0c722dbaee549e0ad91440f7dc3c633
                                                                                                                            • Instruction Fuzzy Hash: 66A11032F1DD5A4FF6E5A76C646827523C1EBB8A91F2002BBC44ED32D6EE289C064355
                                                                                                                            Function 00007FF848F493B0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: d
                                                                                                                            • API String ID: 0-2564639436
                                                                                                                            • Opcode ID: 7a6e872788f47497b3b51236c0b3f201048e6601ca4a66eb542df4a7f5a00374
                                                                                                                            • Instruction ID: 5179551c015c61d06d6ebbd38d793ed6210cd960ecde06c7c5e8fd1ab2f357e9
                                                                                                                            • Opcode Fuzzy Hash: 7a6e872788f47497b3b51236c0b3f201048e6601ca4a66eb542df4a7f5a00374
                                                                                                                            • Instruction Fuzzy Hash: E3C1EF30A2CB458FE769EB18D841536B3E1FFA9740F14497ED08AC36A7DA35F8428785
                                                                                                                            Function 00007FF848F47D58 Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: e798590f6955846b389f9c196be5e0300e106ee8a5a669b913b25f22e6ca3fab
                                                                                                                            • Instruction ID: af957572df4dfce1456cc46f8a4bac2a43c19ff03e9302f927b9fd057a602f82
                                                                                                                            • Opcode Fuzzy Hash: e798590f6955846b389f9c196be5e0300e106ee8a5a669b913b25f22e6ca3fab
                                                                                                                            • Instruction Fuzzy Hash: DEB12431A1C9494FEB98BB2C984567977D1EF99744F0001BAD84EC32D7DE28BC828385
                                                                                                                            Function 00007FF848F4BD19 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ]H
                                                                                                                            • API String ID: 0-3863620904
                                                                                                                            • Opcode ID: 098097d2dd2daacf16e3f8a6adbe8922468c9e02c9361278f24a09ce69b0b81a
                                                                                                                            • Instruction ID: 754ad2f377ade4e4761ca41833cf6ac75006348b1b889021645b0b2ef1582a92
                                                                                                                            • Opcode Fuzzy Hash: 098097d2dd2daacf16e3f8a6adbe8922468c9e02c9361278f24a09ce69b0b81a
                                                                                                                            • Instruction Fuzzy Hash: CBA14632A1DA4E0FF798E75CA8456B577E0EFA5760F0401BBD44CD72C7DE1AA8424744
                                                                                                                            Function 00007FF848F59860 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: d
                                                                                                                            • API String ID: 0-2564639436
                                                                                                                            • Opcode ID: 55ac122dc56fc033c1de3cec24328ba34f0aebdf83412fc65fe4d46538e08876
                                                                                                                            • Instruction ID: 0d593f98674acea585f5e5c0d8690af059a421177691fbaf68d9f02e74e15215
                                                                                                                            • Opcode Fuzzy Hash: 55ac122dc56fc033c1de3cec24328ba34f0aebdf83412fc65fe4d46538e08876
                                                                                                                            • Instruction Fuzzy Hash: E5B1DD30A2CB498FD729EB18D481636B3E1FF99740F144A7DD48A83696DB35F8438B85
                                                                                                                            Function 00007FF848F4F5FA Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: @WH
                                                                                                                            • API String ID: 0-1574652160
                                                                                                                            • Opcode ID: a0e318a7dfc6babc97f0a0be8d4eab0d59f1bb19ea4fb6c5be447ccbb980a3dc
                                                                                                                            • Instruction ID: 3cacd5e2f2d00cbe434212c4cfe3132eb18f293018b04e0e15556b71382cf6b3
                                                                                                                            • Opcode Fuzzy Hash: a0e318a7dfc6babc97f0a0be8d4eab0d59f1bb19ea4fb6c5be447ccbb980a3dc
                                                                                                                            • Instruction Fuzzy Hash: 3031243291CEC58FE354F7289859665BBE1FBA4750F08067BC88DC71E2DF28B8458786
                                                                                                                            Function 00007FF848F5153D Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: yH
                                                                                                                            • API String ID: 0-736024383
                                                                                                                            • Opcode ID: 46d2abf7514ce991f4e96bbd0e79dee067755380a8536194b850d7c5af0290b7
                                                                                                                            • Instruction ID: bcd2697db6aaee7262bbaaf65661135e151e8274c8cd2db150bf33cd80aa2937
                                                                                                                            • Opcode Fuzzy Hash: 46d2abf7514ce991f4e96bbd0e79dee067755380a8536194b850d7c5af0290b7
                                                                                                                            • Instruction Fuzzy Hash: 3A713631E1DA894FE785EB289854675BBE1EF5A798F0801BAD04DC32D3DF286C46C385
                                                                                                                            Function 00007FF848F4D173 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: rK_^
                                                                                                                            • API String ID: 0-760080450
                                                                                                                            • Opcode ID: 301db9feb94b251729afad39ecd40be0137615f0ed02aef3a7d325bcbed72df3
                                                                                                                            • Instruction ID: 9ccdcad172d47fd7d68fc001d44c30b4db58ffdf4d60941bebb5b59d0ac77814
                                                                                                                            • Opcode Fuzzy Hash: 301db9feb94b251729afad39ecd40be0137615f0ed02aef3a7d325bcbed72df3
                                                                                                                            • Instruction Fuzzy Hash: AC61A817A1E5D56BE741B77CA4A51EA3BA0EF52669F0842B7D0CCCE093DE0C644A8368
                                                                                                                            Function 00007FF848F47D00 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: yH
                                                                                                                            • API String ID: 0-736024383
                                                                                                                            • Opcode ID: 469436e9e57f965c3c3b9ab927ccee407d6642c9d3f978ac38a06bbcf749bd34
                                                                                                                            • Instruction ID: 49d38977b75552bae6c54bd54369836da7ea93d8de7a7ae1617f756d46d9c151
                                                                                                                            • Opcode Fuzzy Hash: 469436e9e57f965c3c3b9ab927ccee407d6642c9d3f978ac38a06bbcf749bd34
                                                                                                                            • Instruction Fuzzy Hash: 5951D131E1CD4A4FEB84EB2C985567977E2EF98784F09017AD00DC32D7DE28AC458785
                                                                                                                            Function 00007FF848F5EDBD Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #CL_^
                                                                                                                            • API String ID: 0-2282437773
                                                                                                                            • Opcode ID: 3facbd144411a232cfac3b81dad1b85c81f6fe9dba3bc788ab3e398012554a3a
                                                                                                                            • Instruction ID: 03390f3ae46477f36333dbbc23b722183706bf17b6bc0c3d91f32b9bdd55412e
                                                                                                                            • Opcode Fuzzy Hash: 3facbd144411a232cfac3b81dad1b85c81f6fe9dba3bc788ab3e398012554a3a
                                                                                                                            • Instruction Fuzzy Hash: 3251AF30A1DA894FE799F728D4516B977E1EF95380F0401BAD05EC72E3CE29A8458751
                                                                                                                            Function 00007FF848F515C8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: yH
                                                                                                                            • API String ID: 0-736024383
                                                                                                                            • Opcode ID: 727aebfeb69b0650af68000f66e8b787b3ee42ec2b547c55c7bc2995af1a1852
                                                                                                                            • Instruction ID: e232058e9bc6e170483f4ee98295cf5589e0363786348ab810c57c3b092f8935
                                                                                                                            • Opcode Fuzzy Hash: 727aebfeb69b0650af68000f66e8b787b3ee42ec2b547c55c7bc2995af1a1852
                                                                                                                            • Instruction Fuzzy Hash: C851E131E1CE4A4FE785EB2C98556756BE2FF98784F0901BAD00CC32D7DE28AC468785
                                                                                                                            Function 00007FF848F4109D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 0-3916222277
                                                                                                                            • Opcode ID: cb0cce62081fefae824808e15d824299907634f4c5b1e84dde34316c9d63cd18
                                                                                                                            • Instruction ID: e5a1bf95b0118499d002e65793927e29863fb50543c953554bfae8afe80873f7
                                                                                                                            • Opcode Fuzzy Hash: cb0cce62081fefae824808e15d824299907634f4c5b1e84dde34316c9d63cd18
                                                                                                                            • Instruction Fuzzy Hash: 54516D6045E7C21FE793A7B498605923FF99F87660B0A41EBD4C9CF0A3D61E494AC723
                                                                                                                            Function 00007FF848F439FA Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: L_^
                                                                                                                            • API String ID: 0-2257155764
                                                                                                                            • Opcode ID: 866678ee16b3db7f92e96dcf635ce45e09ada60fcf85f4fe0c2dd23f86ff9dcb
                                                                                                                            • Instruction ID: d50a8c17d1676453c883cc605844c3619c2ff40524cf5d952c6b4816aa78ee8f
                                                                                                                            • Opcode Fuzzy Hash: 866678ee16b3db7f92e96dcf635ce45e09ada60fcf85f4fe0c2dd23f86ff9dcb
                                                                                                                            • Instruction Fuzzy Hash: 38517922A0D5565EE742BBAC78114FE7BA0EF523A5F080277C14CDA0D3CB1C144987B5
                                                                                                                            Function 00007FF848F45A71 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: c2ba66cf4fba93d0b578673b3e830fe422c1998d00db10bf60256efe1f1982bd
                                                                                                                            • Instruction ID: ecbba0fc96ffb2fb7139bd3f59923e3c949c4193e9d944187dc36b13a921c6a9
                                                                                                                            • Opcode Fuzzy Hash: c2ba66cf4fba93d0b578673b3e830fe422c1998d00db10bf60256efe1f1982bd
                                                                                                                            • Instruction Fuzzy Hash: 6D41AC31A1D94A4FE798FB2CA45527573E1FBA8790F4402BBD04DD32C6DE68AC468345
                                                                                                                            Function 00007FF848F48478 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: ace5646018ee231a6fa0fcf886bddd7ab2a8c1ab02b85e13bf304991ccee0c91
                                                                                                                            • Instruction ID: 34228d0adb4386e74139d8991433574180178636ec910b9878752a14bf825a2f
                                                                                                                            • Opcode Fuzzy Hash: ace5646018ee231a6fa0fcf886bddd7ab2a8c1ab02b85e13bf304991ccee0c91
                                                                                                                            • Instruction Fuzzy Hash: 67311A32E1CD5A4FE394A72CA4192B977D0EB64B90F05067BD44DD72D5EF2898824389
                                                                                                                            Function 00007FF848F50FE6 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: wH
                                                                                                                            • API String ID: 0-1832589965
                                                                                                                            • Opcode ID: 1ba6bfc9e081166b37530c1f6f4f4e4738ce48002baaf18c9aa90ade4fa86123
                                                                                                                            • Instruction ID: 137cc6810396389cd0e3838f534170b7fca2057cd3ba6ff4778fb01edcdff03a
                                                                                                                            • Opcode Fuzzy Hash: 1ba6bfc9e081166b37530c1f6f4f4e4738ce48002baaf18c9aa90ade4fa86123
                                                                                                                            • Instruction Fuzzy Hash: 7531F860D0EBCE0FE346AB3898595B67FE2EF96690F0800BBD449C7197DE2D5846C351
                                                                                                                            Function 00007FF848F42C98 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: 276e3867b3e2ab28f8d5f4b3bf0252c0550f43f4f55a51d712f945acb198e5ba
                                                                                                                            • Instruction ID: d8484446e1b602df52e3ebe51f4f06a9ab31b436b409ac4229d5c7b0b444fe7e
                                                                                                                            • Opcode Fuzzy Hash: 276e3867b3e2ab28f8d5f4b3bf0252c0550f43f4f55a51d712f945acb198e5ba
                                                                                                                            • Instruction Fuzzy Hash: 9031BE31E09C1C8FEB98EB1CA4497B973E1FBB8B50F0400B6E40EE7285DE249C014788
                                                                                                                            Function 00007FF848F57520 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH
                                                                                                                            • API String ID: 0-1579723087
                                                                                                                            • Opcode ID: 7e68a7106563ff0f20cabaffa9f09bdc72267c4478d32bd3fac020fcdfb32621
                                                                                                                            • Instruction ID: 189bc4d89e8a74eefda93d81f4c0291b1c92d253d3d408933ae8756d6e1aad57
                                                                                                                            • Opcode Fuzzy Hash: 7e68a7106563ff0f20cabaffa9f09bdc72267c4478d32bd3fac020fcdfb32621
                                                                                                                            • Instruction Fuzzy Hash: 2E31E33090EB894FD756A7348859A66BFE1EF46740F0A41FAD089D71E3DF28A806C359
                                                                                                                            Function 00007FF848F5F0E0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #CL_^
                                                                                                                            • API String ID: 0-2282437773
                                                                                                                            • Opcode ID: 52acff4cc093179bb3ec909e0a93a5f3d431687b47a7f4977b3ca41a9a884d7b
                                                                                                                            • Instruction ID: 621ed38d682de318d8539f6a46e370f9b334bdf868061c4e7eaa69b1ada08cdb
                                                                                                                            • Opcode Fuzzy Hash: 52acff4cc093179bb3ec909e0a93a5f3d431687b47a7f4977b3ca41a9a884d7b
                                                                                                                            • Instruction Fuzzy Hash: 36118230A1DA855FF7CAF328845167466B1DF9A7C0B0800BAC44DDB2E7CE2D5C4A8B61
                                                                                                                            Function 00007FF848F5F1E0 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #CL_^
                                                                                                                            • API String ID: 0-2282437773
                                                                                                                            • Opcode ID: 2f71c1bbfd895869d5a39fafed1c48e796c3ebd545be3df8e676479bb5a02883
                                                                                                                            • Instruction ID: f277548adc70bc0d38753f7243622326e345439c99191371c63cc6561be0dda8
                                                                                                                            • Opcode Fuzzy Hash: 2f71c1bbfd895869d5a39fafed1c48e796c3ebd545be3df8e676479bb5a02883
                                                                                                                            • Instruction Fuzzy Hash: 5C01613491E6C60EF389B734945167426B5DF963C4F5400B9D85DD71E3CF1E2849CB26
                                                                                                                            Function 00007FF848F46D10 Relevance: .4, Instructions: 364COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b9c734259f7632bc333f252ad15021cf9fbf717b11c51f10c41881f4fca1fc36
                                                                                                                            • Instruction ID: 01de2ee014d9b129d99cd6d137ab5fbbd5a2912f23779c324bb53d56d10a5911
                                                                                                                            • Opcode Fuzzy Hash: b9c734259f7632bc333f252ad15021cf9fbf717b11c51f10c41881f4fca1fc36
                                                                                                                            • Instruction Fuzzy Hash: E9A1E931A1CA484FEB58EB1CA8566B8B7E1FF99750F04017EE44ED3292EB25F8418785
                                                                                                                            Function 00007FF848F46DB8 Relevance: .4, Instructions: 357COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 92571c204416aa655082b290e632a1005ed56c77c5952569a670cb18a64e578b
                                                                                                                            • Instruction ID: 5c728998dce5421869cf1a3ff7793fe9ee522828d25db43099d1bbb69568e823
                                                                                                                            • Opcode Fuzzy Hash: 92571c204416aa655082b290e632a1005ed56c77c5952569a670cb18a64e578b
                                                                                                                            • Instruction Fuzzy Hash: D5A10732D0F9825FE359E72C6869174BBD1FF91651B0801BBD088CB1DBEE18AC558399
                                                                                                                            Function 00007FF848F4C4F3 Relevance: .3, Instructions: 341COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e7e572429b781680b44a58eb8b5517dcd3e701b3b26d8af748d380944c8992b3
                                                                                                                            • Instruction ID: c665f4bab3e1f910b14aeb55bd37986f57fa9e2aa0eb502bfb2acd497d919a43
                                                                                                                            • Opcode Fuzzy Hash: e7e572429b781680b44a58eb8b5517dcd3e701b3b26d8af748d380944c8992b3
                                                                                                                            • Instruction Fuzzy Hash: 02A12627A1E4676EE251B36CB4551FA2B50EF917B9F085337D18C8D0C3EF2C648682AD
                                                                                                                            Function 00007FF848F4C4CD Relevance: .3, Instructions: 325COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3f111bf8ff0f50a628867ccf20b3b85e18578547484919d7df94c0c15a1c9293
                                                                                                                            • Instruction ID: f8e84e64aad7799f9b5a81f1a3e8285de9f1c7accade6d3a9e6e00eaf439d509
                                                                                                                            • Opcode Fuzzy Hash: 3f111bf8ff0f50a628867ccf20b3b85e18578547484919d7df94c0c15a1c9293
                                                                                                                            • Instruction Fuzzy Hash: F9911523A1E5665EE355B76CB4451FA2790EFA07B9F085377D18CCE0C3EF2C644642A8
                                                                                                                            Function 00007FF848F527FA Relevance: .3, Instructions: 313COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0088f32c3f93c863c298bdcbd2cd05079a4f94dfda4842eadd8cfa3a31484fbc
                                                                                                                            • Instruction ID: 57fdae4062c1fefcbe97f330d0ab1b998770186289c052c95cd9045bda69e71d
                                                                                                                            • Opcode Fuzzy Hash: 0088f32c3f93c863c298bdcbd2cd05079a4f94dfda4842eadd8cfa3a31484fbc
                                                                                                                            • Instruction Fuzzy Hash: C8814831A1DA5A4FE794F76CA4955FA3BD0EFA4794F040277E049C71D3DF28A8028399
                                                                                                                            Function 00007FF848F4B4C4 Relevance: .3, Instructions: 308COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1f08cf04628b26dcb9490481e84f1be309f6b5126a813fc3cd8eeb6963e87688
                                                                                                                            • Instruction ID: 01054ecc0eebd1ad9aeb240692cabd55488abae952ba8821671fa8cddcbe5f75
                                                                                                                            • Opcode Fuzzy Hash: 1f08cf04628b26dcb9490481e84f1be309f6b5126a813fc3cd8eeb6963e87688
                                                                                                                            • Instruction Fuzzy Hash: 6F911430A2CA4A4FD758EF6898855B6B7E0FB65750F14067ED04AC32C7EF29F8428784
                                                                                                                            Function 00007FF848F5B784 Relevance: .3, Instructions: 303COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5413b1baad9f957ddc4ad0cadbf224e530a8d4b47c6a58324c089acec2fbd60f
                                                                                                                            • Instruction ID: 50db6b5d07c1094582fdcc5f5884fc426182813075be5e90fc19efe44c6577db
                                                                                                                            • Opcode Fuzzy Hash: 5413b1baad9f957ddc4ad0cadbf224e530a8d4b47c6a58324c089acec2fbd60f
                                                                                                                            • Instruction Fuzzy Hash: 2591F130A2CA4A8FD758EF2894855B6B7E0FB55350F24467ED08AC32C7EF28F8428744
                                                                                                                            Function 00007FF848F4C5F3 Relevance: .3, Instructions: 293COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 32d621bf8146bf523c9455e679f6fdfcdb759f9f8b7a34810f0f2352ca95cf27
                                                                                                                            • Instruction ID: ab9fb6be8454a8893aabedbbc36ffd1a6d5c98a33e0d1e8a2354c3b55ac1b8b0
                                                                                                                            • Opcode Fuzzy Hash: 32d621bf8146bf523c9455e679f6fdfcdb759f9f8b7a34810f0f2352ca95cf27
                                                                                                                            • Instruction Fuzzy Hash: EB810533A1E5265EE254776DB8451FA2790EF907B9F086337D14CC90C3EF2CA48646A9
                                                                                                                            Function 00007FF848F5BAC5 Relevance: .3, Instructions: 283COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5bf7fb38e2c55979f065e7321b0adf7576756ef67f7897e1f77f3341c01067b7
                                                                                                                            • Instruction ID: 1ef7bddafef14cd16605ec15a24c2fe92f89e10c6de9f2cdbd8c931d5e715ea7
                                                                                                                            • Opcode Fuzzy Hash: 5bf7fb38e2c55979f065e7321b0adf7576756ef67f7897e1f77f3341c01067b7
                                                                                                                            • Instruction Fuzzy Hash: 2C81593061DA498FE319EB289849A70B7E0FF56350F1805BED089C71E7DF29B842C749
                                                                                                                            Function 00007FF848F41289 Relevance: .3, Instructions: 282COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b4dfb63705a6b7d6f04bae9c3f3a9425c6ad37766f6ca76319bfd2f6e0d5e112
                                                                                                                            • Instruction ID: d8cc685c8314a94a34c5bb20c2dc0c4d3e835ac2801487677303174640b85872
                                                                                                                            • Opcode Fuzzy Hash: b4dfb63705a6b7d6f04bae9c3f3a9425c6ad37766f6ca76319bfd2f6e0d5e112
                                                                                                                            • Instruction Fuzzy Hash: 1981E431A0EADA4FE395EB3C98545743FE1EFA6680B0901F7D048CB1E7DA19EC858751
                                                                                                                            Function 00007FF848F49430 Relevance: .3, Instructions: 259COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3eb88cb0ab873ceac092939af53a2865835e3c9639563e371785d41c3800c94a
                                                                                                                            • Instruction ID: 7fc2a7be35c1d2b50e75f006e0f10b6b05e16613bfecd74dbe5cd518836057c3
                                                                                                                            • Opcode Fuzzy Hash: 3eb88cb0ab873ceac092939af53a2865835e3c9639563e371785d41c3800c94a
                                                                                                                            • Instruction Fuzzy Hash: DD71F530A2CB4A4FD358EB6898854B677E0EB65750F14067ED48AC32D7EF25F8428785
                                                                                                                            Function 00007FF848F5B28C Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a0be80917939fb6121093ea7a1733ba8eeb1f6f2d2723536132e2a747a563a73
                                                                                                                            • Instruction ID: cf73142ea6cf4cc4c44ec6d2fcdb9be66678f414c91097eafdca6ef1d13a5a0d
                                                                                                                            • Opcode Fuzzy Hash: a0be80917939fb6121093ea7a1733ba8eeb1f6f2d2723536132e2a747a563a73
                                                                                                                            • Instruction Fuzzy Hash: 9E61F430D1EA898FEB99EB289854775BBE1EFA5340F0401BAD04DC72D3DF28AC428755
                                                                                                                            Function 00007FF848F48F25 Relevance: .2, Instructions: 223COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 01e41a980f93368123d9be9e06975895ab089c643d72bb16ffd937c8840ac1f1
                                                                                                                            • Instruction ID: 41cdd0ab60ae31ac63cb39dc22ca94bdf6bed522d1402a9f0777df074832261a
                                                                                                                            • Opcode Fuzzy Hash: 01e41a980f93368123d9be9e06975895ab089c643d72bb16ffd937c8840ac1f1
                                                                                                                            • Instruction Fuzzy Hash: 5A518F31B1CD0A4FEAE8EB1C94A4A7063D2FF68760B5405BBD40EC72E6DE19DC418384
                                                                                                                            Function 00007FF848F447C8 Relevance: .2, Instructions: 221COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f72f2d2808ce3ac533d1805527a4bd9e3acdb220dffbb27301ae271447b45365
                                                                                                                            • Instruction ID: 1c95879dbf34ed280175c649ef8617ef488b832b0055b6bbc520895e0a4d5821
                                                                                                                            • Opcode Fuzzy Hash: f72f2d2808ce3ac533d1805527a4bd9e3acdb220dffbb27301ae271447b45365
                                                                                                                            • Instruction Fuzzy Hash: 2261DF3061CB454FD758EB28C495AB5B7E1EFA5780F10467ED04BC72D3EE24E8468B85
                                                                                                                            Function 00007FF848F49440 Relevance: .2, Instructions: 213COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0e8247c3b11f4a47e027aca6bdab8a4f3eacc62d99ae282feb04cb9dc2575fdc
                                                                                                                            • Instruction ID: bc0e6f674d9bdcf9afb9b7ac05e41a4dbd5f5aa76e1814847b7d4032778b7401
                                                                                                                            • Opcode Fuzzy Hash: 0e8247c3b11f4a47e027aca6bdab8a4f3eacc62d99ae282feb04cb9dc2575fdc
                                                                                                                            • Instruction Fuzzy Hash: 4C51E53162CA0A4FE758AB5CD885A7173E0FF69750B14067ED44DC3297DA29F8438785
                                                                                                                            Function 00007FF848F528E8 Relevance: .2, Instructions: 202COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9f4d60d027db31ee8bca06c0d6e1e64130b40a8808ebd08152dc015e1d02e424
                                                                                                                            • Instruction ID: 5ba5f158a2e17b1715e2725e742739396e18634f8fad92b94fb55dac6f71fc09
                                                                                                                            • Opcode Fuzzy Hash: 9f4d60d027db31ee8bca06c0d6e1e64130b40a8808ebd08152dc015e1d02e424
                                                                                                                            • Instruction Fuzzy Hash: D751A330B1C9594FEB94EB2C90556BA7BD1EFA8750F1402BAE44AC32D7DE28E8418385
                                                                                                                            Function 00007FF848F51D91 Relevance: .2, Instructions: 196COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 08c37e05b29808aaae016360fc67a037fd47a3af893b42f3a12bed688601c12b
                                                                                                                            • Instruction ID: 96753b0faffacbcf6d8eb2863d70c3779871e8e24963eb3fa4d6eae67b5c5553
                                                                                                                            • Opcode Fuzzy Hash: 08c37e05b29808aaae016360fc67a037fd47a3af893b42f3a12bed688601c12b
                                                                                                                            • Instruction Fuzzy Hash: FC51BE30A1D9494FEB95FB2C8884A7977D1EF99754F1401BAD44EC7297CE28BC82C384
                                                                                                                            Function 00007FF848F46738 Relevance: .2, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 677052eb51d522f7517b3e02571c3b847e6a55b8f7b1cd2f2a8e53a0b6cd6375
                                                                                                                            • Instruction ID: bf5105695b8f0d2af0be2fee3ba5a532b1319f5167d08f62d0cfb1a83e3e40d0
                                                                                                                            • Opcode Fuzzy Hash: 677052eb51d522f7517b3e02571c3b847e6a55b8f7b1cd2f2a8e53a0b6cd6375
                                                                                                                            • Instruction Fuzzy Hash: 5D51F271D1EA8A9FF745E76898612E97BB0FF65740F1402B6D048D72D3DF2C28058B25
                                                                                                                            Function 00007FF848F5AFFA Relevance: .2, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: eddaa3d2dc3430c1145de0e21c3ce95bd6dc3ce0f709d7931331eb44106d850e
                                                                                                                            • Instruction ID: a89a296c086ffece6233cf125d7fd9f32d600e9bcfb63f74a21ccac54e4a8b65
                                                                                                                            • Opcode Fuzzy Hash: eddaa3d2dc3430c1145de0e21c3ce95bd6dc3ce0f709d7931331eb44106d850e
                                                                                                                            • Instruction Fuzzy Hash: 72514E71E2C9598EEBA9EB28D8553B8B7A1FF54340F4001BAD04DE32D3DF3458868B59
                                                                                                                            Function 00007FF848F40862 Relevance: .2, Instructions: 172COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3bb4b29b9c284097dedc3adcc7b673a246cbe2cf363cd7c6c31dad80462d2f83
                                                                                                                            • Instruction ID: 5be56f975c35cbdc3b0697b88f095ccec2bbdbc70b08258fec6d1831f33c8ff3
                                                                                                                            • Opcode Fuzzy Hash: 3bb4b29b9c284097dedc3adcc7b673a246cbe2cf363cd7c6c31dad80462d2f83
                                                                                                                            • Instruction Fuzzy Hash: CE51C330A0DA899FF785FB68845577977B1EF95780F0400A7D41CEB2D7CE291C098B51
                                                                                                                            Function 00007FF848F4F021 Relevance: .2, Instructions: 162COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4aff3766249b9280bbb1fb2a3d1328fd151c60f4d1f9934633d3e7f59d0bfffc
                                                                                                                            • Instruction ID: 976f8c39b7870657a60a7d21863f6f1399c187433fbb6cb785cf7b2d6f6d5a0a
                                                                                                                            • Opcode Fuzzy Hash: 4aff3766249b9280bbb1fb2a3d1328fd151c60f4d1f9934633d3e7f59d0bfffc
                                                                                                                            • Instruction Fuzzy Hash: 9441D330A0DA890FE799E72C981977577D1EFA9760B4401BFE44DC72D3DE19AC428344
                                                                                                                            Function 00007FF848F490CA Relevance: .2, Instructions: 160COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6c21128c01947b843297d0254b5d8ad7838e2be95c50e9de9da96249b15b9133
                                                                                                                            • Instruction ID: 258da7999fa0ee546c859759c521d73d7fd8c28d638fa6a3924f8be92ed43f4d
                                                                                                                            • Opcode Fuzzy Hash: 6c21128c01947b843297d0254b5d8ad7838e2be95c50e9de9da96249b15b9133
                                                                                                                            • Instruction Fuzzy Hash: B7411E3170C80D8FEAE4EB4CE498BA473D1EFA97A1B1405B7D04ED73A5DA25DC468780
                                                                                                                            Function 00007FF848F46DFB Relevance: .2, Instructions: 154COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 26606f2f202499abdc5ccabbffdfb4852c83d74f68f15e3c6e499c79cfa433e6
                                                                                                                            • Instruction ID: 0ababa2f1e560e86388f23e845853418f6a836c6bfc5cc47b3bdaef39d8bc52b
                                                                                                                            • Opcode Fuzzy Hash: 26606f2f202499abdc5ccabbffdfb4852c83d74f68f15e3c6e499c79cfa433e6
                                                                                                                            • Instruction Fuzzy Hash: 00411A73E0D9961FF651F72CA8A51F56BE0FF61668B0802BBC088C71C3EE1D5C468698
                                                                                                                            Function 00007FF848F54CDA Relevance: .1, Instructions: 149COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 439d012b0a24f8fba726e226de9548ee1f7785a495785ce6f9cd59849ca25ebc
                                                                                                                            • Instruction ID: b75811f481ff2582865b164a470fccb758d243fb118ac26c593f2af4cdeefb75
                                                                                                                            • Opcode Fuzzy Hash: 439d012b0a24f8fba726e226de9548ee1f7785a495785ce6f9cd59849ca25ebc
                                                                                                                            • Instruction Fuzzy Hash: 2A41E470A0DB990FE79AE73C44642747FE1EF6A290B0941FBD089CB1E7DA189C468352
                                                                                                                            Function 00007FF848F4DC60 Relevance: .1, Instructions: 146COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b228392088fc34a8013ceabb34f869b90eea1634db018e421a0dbe1ba9d6c8fd
                                                                                                                            • Instruction ID: 703fb06ed616fc4a0e49c4384fb8c9e57ca70fd43a9696f621e52a7d18112584
                                                                                                                            • Opcode Fuzzy Hash: b228392088fc34a8013ceabb34f869b90eea1634db018e421a0dbe1ba9d6c8fd
                                                                                                                            • Instruction Fuzzy Hash: 4A41803061DA498FDB55FB2CC094E7277E1EF69780F1445AAD04AC72E6CE29F845CB50
                                                                                                                            Function 00007FF848F4D228 Relevance: .1, Instructions: 144COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b5e9fdb2ab67df28d277f25fd4ffa4e46dbe54c6233a18628db7da40bc8d396c
                                                                                                                            • Instruction ID: 0df48c0df7f2e4d3982efdbe8209c6d1df516a23ee0206a59d733c9943199cd8
                                                                                                                            • Opcode Fuzzy Hash: b5e9fdb2ab67df28d277f25fd4ffa4e46dbe54c6233a18628db7da40bc8d396c
                                                                                                                            • Instruction Fuzzy Hash: DC41F922A0D6D51FE741B72CA4652F63BB0FF62264F0801F7D48CDE197DD1C68468364
                                                                                                                            Function 00007FF848F55B40 Relevance: .1, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5c711c5657f03f703e4e883334300cc001a21e39740f72017d353cd20e62f22f
                                                                                                                            • Instruction ID: f938527ad4a7413ee25a6dcabbc9095e586f934192833eec3e995185614701ea
                                                                                                                            • Opcode Fuzzy Hash: 5c711c5657f03f703e4e883334300cc001a21e39740f72017d353cd20e62f22f
                                                                                                                            • Instruction Fuzzy Hash: EF41AC30A2CE064FD758EB38D4A96A6B3D1FF98340F54457DD48AC3696DE29B8828784
                                                                                                                            Function 00007FF848F48270 Relevance: .1, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a4f0bc741f53ab760afc627152bad6551b55d5be087469e44fe01addf35e204f
                                                                                                                            • Instruction ID: d988a85372bd6b897ed4ef5c677b29fb009196a8963d9ce0f707ee51437f2711
                                                                                                                            • Opcode Fuzzy Hash: a4f0bc741f53ab760afc627152bad6551b55d5be087469e44fe01addf35e204f
                                                                                                                            • Instruction Fuzzy Hash: 5D31EF30B1DA494FF399B72C68446712BE1EF69790F0401BBE44DC72D3DE2AAC858754
                                                                                                                            Function 00007FF848F57728 Relevance: .1, Instructions: 138COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 87b3f15f6d15dd250fd31fbc92e6927035d4e3b20a3be3daa89873581b8e5842
                                                                                                                            • Instruction ID: 47f46fe38aa275855eeb879d1d1fbc9548a12ceedb4270f49b69164b98366053
                                                                                                                            • Opcode Fuzzy Hash: 87b3f15f6d15dd250fd31fbc92e6927035d4e3b20a3be3daa89873581b8e5842
                                                                                                                            • Instruction Fuzzy Hash: 9141DE3061DE498FD719AB2890946B5B7E2EF55740F2441BEC08AC72D3CF29B842C759
                                                                                                                            Function 00007FF848F5F271 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 43ad62a41c3eb5102ec37a2c433b93b099bddac6a6fd1340dea6c2297f696bf1
                                                                                                                            • Instruction ID: 1da2f5ffa321cbafd6e038edde0a3fd0232cdb2a9ba0e2fc31bb1c1bdcea3773
                                                                                                                            • Opcode Fuzzy Hash: 43ad62a41c3eb5102ec37a2c433b93b099bddac6a6fd1340dea6c2297f696bf1
                                                                                                                            • Instruction Fuzzy Hash: 2141D231A1CA8A4FE786F72894106BABBF1FF95340F0801B6D45CC71D3DB29A9458791
                                                                                                                            Function 00007FF848F544A1 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f4ca163cb23c8894c2a5e0222dca8bc4a969d7428b30ef4cdd0500b62a40a09f
                                                                                                                            • Instruction ID: 5494686d0b7d4b291257f21b4a3dfa16c96257d045bb35821b51b4c6898c0d6f
                                                                                                                            • Opcode Fuzzy Hash: f4ca163cb23c8894c2a5e0222dca8bc4a969d7428b30ef4cdd0500b62a40a09f
                                                                                                                            • Instruction Fuzzy Hash: F131C672E1EAC54FE395A73C6869274BFE1EF66644B0900FAC48CC72E7DE185C068345
                                                                                                                            Function 00007FF848F45955 Relevance: .1, Instructions: 134COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ded7c6b95612869fc8c5f76db0408e5828b5f01fcfe833c0a65f4f13be73833e
                                                                                                                            • Instruction ID: 8e887770238d6cc53fe3badaa208e0a4aec050327f9ee67399655a6452f1fbc7
                                                                                                                            • Opcode Fuzzy Hash: ded7c6b95612869fc8c5f76db0408e5828b5f01fcfe833c0a65f4f13be73833e
                                                                                                                            • Instruction Fuzzy Hash: 8C418C3061DA499FEB95FB2CC090E7277E1EF69780B1445AAD04AC72E6CE29F845CB50
                                                                                                                            Function 00007FF848F414E1 Relevance: .1, Instructions: 128COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b133eeafafa9b2ebb513110f594db46ae167ae3b2b285c6acd6d929b5ff12016
                                                                                                                            • Instruction ID: 67700e5314de1cc4fe902c17847e26503050cb631700fd0ac9220b6a3e699b0d
                                                                                                                            • Opcode Fuzzy Hash: b133eeafafa9b2ebb513110f594db46ae167ae3b2b285c6acd6d929b5ff12016
                                                                                                                            • Instruction Fuzzy Hash: 88418031A1C95A8FEB85FB2884557F9BBE1FF68340F0401A6D40DD72E2DF29A885C791
                                                                                                                            Function 00007FF848F54C50 Relevance: .1, Instructions: 125COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 34b67a7f7908b7008d2839763089a83b9cc61bf93a74a3d8691b3939e817ca5d
                                                                                                                            • Instruction ID: 17aa21469d089f25a209cc4a4691c217606a0344deb8ba7653af9aaf7ceb8579
                                                                                                                            • Opcode Fuzzy Hash: 34b67a7f7908b7008d2839763089a83b9cc61bf93a74a3d8691b3939e817ca5d
                                                                                                                            • Instruction Fuzzy Hash: 6C31F67160DAD94FD7A6E73858686B47FE0EF53290F0A41EBD489CB1E3DA085C498352
                                                                                                                            Function 00007FF848F5FBEB Relevance: .1, Instructions: 124COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1d29be39093fa66c8c8fb47cea79e786cd12dec19142de9ec2dc4507b6bc5d8e
                                                                                                                            • Instruction ID: c0ec3a5591a73d23a9e5fb001fb0bbaea62ba7ef09e598987ac221ced54e795c
                                                                                                                            • Opcode Fuzzy Hash: 1d29be39093fa66c8c8fb47cea79e786cd12dec19142de9ec2dc4507b6bc5d8e
                                                                                                                            • Instruction Fuzzy Hash: 4B31E331A0CA498FDB48EB1CA859566B7E1FFA9740F1401BED84DC3292DF21E8428785
                                                                                                                            Function 00007FF848F448ED Relevance: .1, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9fd185c73b78441e8626ab89d1e9be845449b11ba2fd9a6a3fafb79e2665ea0b
                                                                                                                            • Instruction ID: 63493cbe1efcc7e5ba8c862459bfd1f70ee536ec8fc6b095281806a51006ce07
                                                                                                                            • Opcode Fuzzy Hash: 9fd185c73b78441e8626ab89d1e9be845449b11ba2fd9a6a3fafb79e2665ea0b
                                                                                                                            • Instruction Fuzzy Hash: 16318D3061DE198FD758AB18D084AB9B3E2EB98745F60417DD05EC32D2CF25B8428788
                                                                                                                            Function 00007FF848F43F1B Relevance: .1, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 333038a2331046078befac741fccce696dec34d608f89fbdc8f77440674c734b
                                                                                                                            • Instruction ID: 50a23be2f71b75d9bd105dba9357dac842a6f78cb0ac10f426ecc40ce3afd167
                                                                                                                            • Opcode Fuzzy Hash: 333038a2331046078befac741fccce696dec34d608f89fbdc8f77440674c734b
                                                                                                                            • Instruction Fuzzy Hash: 2B31947188E5911FE30AA3246C579F27BA4DF12765F1901B7D048DB5D3CA0E2993C366
                                                                                                                            Function 00007FF848F5F3B5 Relevance: .1, Instructions: 114COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6e822382236cb492f13c484259a9e117127f1df231189094f699cc5d8136d913
                                                                                                                            • Instruction ID: e9de309075048f95d750023c35deff800a4a00d64604641d8e56e4a7e4455719
                                                                                                                            • Opcode Fuzzy Hash: 6e822382236cb492f13c484259a9e117127f1df231189094f699cc5d8136d913
                                                                                                                            • Instruction Fuzzy Hash: 05310730A0DAC94FE746F728A8112B97BF4DF46390B0500E7D44DDB1E3CA1D1D4687A2
                                                                                                                            Function 00007FF848F43F69 Relevance: .1, Instructions: 114COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f969b8ea3ff2269cd84eb6d494b6904476ecee6e682e4234cff4f23a772378fe
                                                                                                                            • Instruction ID: 029e89812bb09f487b62527208f68e6442bffbedd4629ad2a73a87e085fccac0
                                                                                                                            • Opcode Fuzzy Hash: f969b8ea3ff2269cd84eb6d494b6904476ecee6e682e4234cff4f23a772378fe
                                                                                                                            • Instruction Fuzzy Hash: 5C31A83188E1911FD30A93246C579F17BA4DF52775F2901E7D048DB9E3CA0E6593C366
                                                                                                                            Function 00007FF848F497E0 Relevance: .1, Instructions: 114COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 871130712688c8e71683d963213a6e66c7daed790bfa2c3f0786806e283ad9b2
                                                                                                                            • Instruction ID: 766ab7f8ec9e22140f60a74f7deb033b64d61396a4c0cc6e25397b8024f244f4
                                                                                                                            • Opcode Fuzzy Hash: 871130712688c8e71683d963213a6e66c7daed790bfa2c3f0786806e283ad9b2
                                                                                                                            • Instruction Fuzzy Hash: 2C218031B1DD0E4FEAD8E61D546567923C2EBA8791F24027BD40DD32D6EE39DC424344
                                                                                                                            Function 00007FF848F449F2 Relevance: .1, Instructions: 109COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e6d9f0f56513f0520b7786aa818eb8cf1c59de88c2b67fe39dc2ef5efea7aadf
                                                                                                                            • Instruction ID: b146f77b9824cd3d66a09175717c5011095cf71379b824033bc36bbf7d9cb0a7
                                                                                                                            • Opcode Fuzzy Hash: e6d9f0f56513f0520b7786aa818eb8cf1c59de88c2b67fe39dc2ef5efea7aadf
                                                                                                                            • Instruction Fuzzy Hash: A731E231A0EA584FDB95EB2CA8587A87BE1FF79740F0800B7E40DE72D6CE249C058785
                                                                                                                            Function 00007FF848F5CA31 Relevance: .1, Instructions: 106COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f3bd1c4a61245330657db3785ec4b67e3766ccdd499a89b2a477f5209a9984bc
                                                                                                                            • Instruction ID: ea898cf58475a6e3451eed4ba995172fd8855abc3839fb4c6082886986bd3515
                                                                                                                            • Opcode Fuzzy Hash: f3bd1c4a61245330657db3785ec4b67e3766ccdd499a89b2a477f5209a9984bc
                                                                                                                            • Instruction Fuzzy Hash: 7431E23280CB884FDB14EB189C465E9BFE4EF96310F04016FE88AD3192E765A94587C3
                                                                                                                            Function 00007FF848F47DFB Relevance: .1, Instructions: 105COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e45d8c67c3d438c91d482e186aed43a09320b4f15b0fc6f0b1b18ea9ae432bf6
                                                                                                                            • Instruction ID: ade69ecd8c0698a32121a57a5e468ae84bbd4310bc321231c493bef245761c7c
                                                                                                                            • Opcode Fuzzy Hash: e45d8c67c3d438c91d482e186aed43a09320b4f15b0fc6f0b1b18ea9ae432bf6
                                                                                                                            • Instruction Fuzzy Hash: 5031A33191DA8E4FEB85EF2888956E97BE0FF29345F04017BD049E31D2CB289845C794
                                                                                                                            Function 00007FF848F4C7D3 Relevance: .1, Instructions: 103COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 154d61e3fade4088942a8531cc496c0111966d2bc5de275307c2e829004aee50
                                                                                                                            • Instruction ID: 1f513fece5b96e0b4945bec14de68a6e9177e92501fb2faa412ae4d96cb9b5f4
                                                                                                                            • Opcode Fuzzy Hash: 154d61e3fade4088942a8531cc496c0111966d2bc5de275307c2e829004aee50
                                                                                                                            • Instruction Fuzzy Hash: 4531E73190FAC90FD746A32C64652F57BE0EF52259F0842BBC488CB1D3EE2DA8498355
                                                                                                                            Function 00007FF848F56377 Relevance: .1, Instructions: 95COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 733288bd0002f40c776b691a8c8f20d64e169d119d2e955b84499ca4dd8f0764
                                                                                                                            • Instruction ID: dbc2ec3ac860346901738186e176b6daf1723b315b82584b64d2192c5fc4cdb5
                                                                                                                            • Opcode Fuzzy Hash: 733288bd0002f40c776b691a8c8f20d64e169d119d2e955b84499ca4dd8f0764
                                                                                                                            • Instruction Fuzzy Hash: E421DE32A0CA055EE628761868060BABB80EB927E1F04003FF019822C3EE0D7C1641E9
                                                                                                                            Function 00007FF848F564B2 Relevance: .1, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e99f15ff9daccd6af371884da9fdf31bb8da75c845ef98743e971442c56e530f
                                                                                                                            • Instruction ID: ced0693d41d033dae441d99b462840a55a2e97e510007230bb2c5f011fadd4fc
                                                                                                                            • Opcode Fuzzy Hash: e99f15ff9daccd6af371884da9fdf31bb8da75c845ef98743e971442c56e530f
                                                                                                                            • Instruction Fuzzy Hash: 2421D132B0CA084FF758AB1CA4560B9B3D1EF956A1F00027BD15EC32D2DF1AA856468A
                                                                                                                            Function 00007FF848F59B6B Relevance: .1, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9f64b7c800889e4c1653da076b6fecc5f45586cbc38ccb520228d27bab5b7b9d
                                                                                                                            • Instruction ID: 77e08d8aa263c75296e6289ea824c3986da51bda59cf6abd0a41a72b88e4557f
                                                                                                                            • Opcode Fuzzy Hash: 9f64b7c800889e4c1653da076b6fecc5f45586cbc38ccb520228d27bab5b7b9d
                                                                                                                            • Instruction Fuzzy Hash: 5931E830A08A499FEB99EF18D499BA877E1FF59344F0101B9E44DD76A2CB39E844CB44
                                                                                                                            Function 00007FF848F4BE1D Relevance: .1, Instructions: 88COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: efdf2a62c6b578f8a14e73cb0c8dc42bf7b552b244fb3cea09a4906fdea01537
                                                                                                                            • Instruction ID: 4214c7fbfdc024bc00a3ebec2f3f7c6a0aec2a20125c13a63a4974c63107c9a5
                                                                                                                            • Opcode Fuzzy Hash: efdf2a62c6b578f8a14e73cb0c8dc42bf7b552b244fb3cea09a4906fdea01537
                                                                                                                            • Instruction Fuzzy Hash: 7711E931A1DA4A4FE758EB5C9C56A7177E5EFA5750F1402BFD04CC72D3DA1AE8018740
                                                                                                                            Function 00007FF848F4DEE1 Relevance: .1, Instructions: 81COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 012e48db65f301cd9a4a14cfce2cb92dfe0a944623af0a397bd532974123be16
                                                                                                                            • Instruction ID: bc3b0e359fb6dea90ea9e7eb0619616b921c99680355639f566a21b1ccbd5879
                                                                                                                            • Opcode Fuzzy Hash: 012e48db65f301cd9a4a14cfce2cb92dfe0a944623af0a397bd532974123be16
                                                                                                                            • Instruction Fuzzy Hash: 5D11BF32F1DA895FE2A5B66D2C661743AC0EFA9A50B5901FBD40CD72E3EA458C05C249
                                                                                                                            Function 00007FF848F5F4A3 Relevance: .1, Instructions: 80COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 58f2ea9b05a7bfc4c320e58ca3d5be2763831b7bc84ea928e2dcdae8896c4a69
                                                                                                                            • Instruction ID: 908505fcc2e50f61b6f23bfb1548e8b090627c5e585676cd37808fa8282d62b8
                                                                                                                            • Opcode Fuzzy Hash: 58f2ea9b05a7bfc4c320e58ca3d5be2763831b7bc84ea928e2dcdae8896c4a69
                                                                                                                            • Instruction Fuzzy Hash: DE215131A0D6890FD345A738E8112E1BBE0EF86324F1941FBE48CCB1D3DA5E58428396
                                                                                                                            Function 00007FF848F5EF99 Relevance: .1, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2ebb71bb00a4fc11db24cf49d536c4cf891786fc5ff943a69c2119c92b2ec718
                                                                                                                            • Instruction ID: 5bc7efc2d485b243ee76e3e9a60517e3fbd464d9c3859100367093def5a22bd5
                                                                                                                            • Opcode Fuzzy Hash: 2ebb71bb00a4fc11db24cf49d536c4cf891786fc5ff943a69c2119c92b2ec718
                                                                                                                            • Instruction Fuzzy Hash: ED11B232E1C98D4FEB90FB68A8051B9BBE1FB99350F4501BBE40DD31D2DB685C458786
                                                                                                                            Function 00007FF848F4DF00 Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 47f19802cb76c9b5b56b0fec42525691bb7cc68a78f94cf3c74c86dcc92f3c43
                                                                                                                            • Instruction ID: a26f613e73b93da8c688e8c889296204682810076707af3ecfae178f03e2c95c
                                                                                                                            • Opcode Fuzzy Hash: 47f19802cb76c9b5b56b0fec42525691bb7cc68a78f94cf3c74c86dcc92f3c43
                                                                                                                            • Instruction Fuzzy Hash: 0A110832F1DC495FE6E4B66D7C5517536C0EBA9A60B5501BBE80CC33E6DE468C428245
                                                                                                                            Function 00007FF848F4BF7D Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6530f91e9b9fdb1aa4946e1a8d8f09a8d9493de64da70cec435a8a9783d81565
                                                                                                                            • Instruction ID: 04f0f0b7181f71b549de19fd8b015b82329149a5032de54949bb6c633e9da8fa
                                                                                                                            • Opcode Fuzzy Hash: 6530f91e9b9fdb1aa4946e1a8d8f09a8d9493de64da70cec435a8a9783d81565
                                                                                                                            • Instruction Fuzzy Hash: 7C11D03160EB891FE3A6A769AC456713BA4EF56390B0A00FBE48CCB1D3DD195C868365
                                                                                                                            Function 00007FF848F5EFD1 Relevance: .1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e6683dd573f0985f0b7b29511d525aa7a4308cb682d419d98b5aceed3193b4b0
                                                                                                                            • Instruction ID: 8ba7c2c2f3da74dd9b42d1412f42ca67b4994105d1885b3f72150b6ef414689b
                                                                                                                            • Opcode Fuzzy Hash: e6683dd573f0985f0b7b29511d525aa7a4308cb682d419d98b5aceed3193b4b0
                                                                                                                            • Instruction Fuzzy Hash: 3A110431D1C9891FD791FB385C461FABBE0EB85350F0902B7E408D75D3DA1C59468392
                                                                                                                            Function 00007FF848F40480 Relevance: .1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dd33d9df02c196dbdb20e17e48bf00d944f31224ef7b467edd3a152c594ac4dc
                                                                                                                            • Instruction ID: f29424e1f46137a435ca0f6199cdee1c38e0d0245890a01009a4b365bf8cd762
                                                                                                                            • Opcode Fuzzy Hash: dd33d9df02c196dbdb20e17e48bf00d944f31224ef7b467edd3a152c594ac4dc
                                                                                                                            • Instruction Fuzzy Hash: AB018416A2F0A659E650B37CB4A15FA3B50DF4627DF0942B3E1CC8E0D3DE0D684A41E9
                                                                                                                            Function 00007FF848F46FC9 Relevance: .1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6ed025ff782a59d771d3ad29a8712d21af76195b9050d460765e834271d01802
                                                                                                                            • Instruction ID: 0fc39735c3091656c5c81b304405248a667ce7a357822b9342eaafe00d577d0f
                                                                                                                            • Opcode Fuzzy Hash: 6ed025ff782a59d771d3ad29a8712d21af76195b9050d460765e834271d01802
                                                                                                                            • Instruction Fuzzy Hash: 5711E130A1EE8A4FE799EB2894915A577E1FF64350B5404BBC049C72C6EF2DE8428344
                                                                                                                            Function 00007FF848F44ED0 Relevance: .1, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3022f3fabe4b740abc7c1929c09a6be604e5558544d7f80b2f9e40550f4888fa
                                                                                                                            • Instruction ID: 531848e0bb6d8f1b6b7eacec60b3dedfae8540ce653e8fd2c2e2797101ae794a
                                                                                                                            • Opcode Fuzzy Hash: 3022f3fabe4b740abc7c1929c09a6be604e5558544d7f80b2f9e40550f4888fa
                                                                                                                            • Instruction Fuzzy Hash: 1D016D30A0D80E5FD6A4FA2DA85563673D5EBAD764F80027BE40CD3296DE69EC058385
                                                                                                                            Function 00007FF848F44D51 Relevance: .1, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e8adf573749662295f7a1767e3cc4f989ff70051d80d39820e9c9bd44e17b96c
                                                                                                                            • Instruction ID: 427ef4a04a2633ae9bdc8269a3a0328041cc06efd91ce20d83c4be329b9831e1
                                                                                                                            • Opcode Fuzzy Hash: e8adf573749662295f7a1767e3cc4f989ff70051d80d39820e9c9bd44e17b96c
                                                                                                                            • Instruction Fuzzy Hash: 7B11613180E7C95FE3179B3488685A57FB0EF67640F0A41EBC484DB1E3DA2D5949C722
                                                                                                                            Function 00007FF848F502D1 Relevance: .1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8722ae8a2bda2dd1b952d548c31c1a6bf46dc3a266a21bfdba3fdc365076efe2
                                                                                                                            • Instruction ID: 114bae514b97eaa97faf9774dc9f377b33b3504d5b33e1a36e9667682a11a56e
                                                                                                                            • Opcode Fuzzy Hash: 8722ae8a2bda2dd1b952d548c31c1a6bf46dc3a266a21bfdba3fdc365076efe2
                                                                                                                            • Instruction Fuzzy Hash: 8AF0E93270D9880FE394AA2CAC4E9B27FD4DBA617270502FFE94CC71B3E9469C468354
                                                                                                                            Function 00007FF848F4EC79 Relevance: .1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fe1500e08cec844f9f3b20663b627489e09334ce29f87dfc6961f72e30570cd2
                                                                                                                            • Instruction ID: 4b514040802d61b36495bb15955f118247716616d0fff16921de63582600e48f
                                                                                                                            • Opcode Fuzzy Hash: fe1500e08cec844f9f3b20663b627489e09334ce29f87dfc6961f72e30570cd2
                                                                                                                            • Instruction Fuzzy Hash: B201A222C0DAC70FE366A33C19194746FD1EE62974B9802EBC498DB0E3DE189C4BC315
                                                                                                                            Function 00007FF848F49D2B Relevance: .1, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3f1d877edbe9970fee5b9878101cb4186470bee585c8b1e96b98a0f711fc9183
                                                                                                                            • Instruction ID: 078ab4e34c6ddf16a8a2d7a4dfab44acbafbee8e09a0318082cae873700a8704
                                                                                                                            • Opcode Fuzzy Hash: 3f1d877edbe9970fee5b9878101cb4186470bee585c8b1e96b98a0f711fc9183
                                                                                                                            • Instruction Fuzzy Hash: 43112170E195598EEB9AEB2888492BDB3B1FF64740F1001BAD44EE21D3DF385981CB05
                                                                                                                            Function 00007FF848F4D79D Relevance: .1, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e6793a566ca3746e305612cad75790a7e015009125432c9845a27aa35e7e3adb
                                                                                                                            • Instruction ID: 45bc07fd5ceb25b7b26647ad8b1a25f8a9cfce6bb270f1845a3fa0d25b60a85b
                                                                                                                            • Opcode Fuzzy Hash: e6793a566ca3746e305612cad75790a7e015009125432c9845a27aa35e7e3adb
                                                                                                                            • Instruction Fuzzy Hash: C101443190EEC91FE35AB33C24502B57BE0EFA6A94F2806BBC08DD21C3DE5C68428345
                                                                                                                            Function 00007FF848F45D33 Relevance: .1, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: be2bc398e183b07575ba09712dd41a8dc07ff789d6df2fdfa9f49777b0f9180d
                                                                                                                            • Instruction ID: 0b7e68b0e2ec6bb0d22616c7df332f6666fc9e9b3bbc0674958b8caf5c43f86a
                                                                                                                            • Opcode Fuzzy Hash: be2bc398e183b07575ba09712dd41a8dc07ff789d6df2fdfa9f49777b0f9180d
                                                                                                                            • Instruction Fuzzy Hash: D8F06231B1EE1E0FF6D9B76C2459279A1D1EFA86A1F40117BD90DC2186EE2DA8814288
                                                                                                                            Function 00007FF848F5ABB1 Relevance: .0, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fb598fb2bbd61769e930368daf64eecd4868f33119b70dc0a026230f1d3129cc
                                                                                                                            • Instruction ID: 619c9beb7e8c712b4d90f8c92f6266544aeb587ba0e49afc04845355b5ca3991
                                                                                                                            • Opcode Fuzzy Hash: fb598fb2bbd61769e930368daf64eecd4868f33119b70dc0a026230f1d3129cc
                                                                                                                            • Instruction Fuzzy Hash: 1AF02B62F0EA8A1FE392627CA89A2B46B84DBA8161B0841F7D04CC62D3CC484CC743D6
                                                                                                                            Function 00007FF848F45A80 Relevance: .0, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d3ba8dcfa1e83554696641fc7f92e81b6cf5fe1dceef54314f673efd27a27b7e
                                                                                                                            • Instruction ID: 003610e91c36b5ab4ac6460132c7905aca325dc051e1b52e1344def90f6289b9
                                                                                                                            • Opcode Fuzzy Hash: d3ba8dcfa1e83554696641fc7f92e81b6cf5fe1dceef54314f673efd27a27b7e
                                                                                                                            • Instruction Fuzzy Hash: 29018131A2AD4B4FDA98FB2C90915B673E2FFB8344B44457AD409D3289DF69E8428385
                                                                                                                            Function 00007FF848F44B4D Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dc783273a283114733e1a15db870165dae5fc7f13fc96d18d1c9240015eb8265
                                                                                                                            • Instruction ID: cf7a0cb176e902b2d64d99599e4ac5b88d6678925aa93a4027f108d3f5212717
                                                                                                                            • Opcode Fuzzy Hash: dc783273a283114733e1a15db870165dae5fc7f13fc96d18d1c9240015eb8265
                                                                                                                            • Instruction Fuzzy Hash: FA01812581FAC61FD363637828202A16FA48F7356DB0D01E7D0D8FA1D7DA0C5859C3AA
                                                                                                                            Function 00007FF848F44CF5 Relevance: .0, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a827e97452fb25f94da942fe36819e4b9d8d0238ae8ce4cf2dcf63a7ac992127
                                                                                                                            • Instruction ID: 3ad770ff648f9e470255a99a2c613ae48ac9312d587a93aaaf0905bc4aebfeac
                                                                                                                            • Opcode Fuzzy Hash: a827e97452fb25f94da942fe36819e4b9d8d0238ae8ce4cf2dcf63a7ac992127
                                                                                                                            • Instruction Fuzzy Hash: 8FF0E922E0FD9A0FD256A32C38641745B91EBB5564B4D03F7C448E71CBDD4C49460395
                                                                                                                            Function 00007FF848F47D50 Relevance: .0, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7267a21634c2a4e8d76c371e85834913549070e87073b13f6315e5924caa0a54
                                                                                                                            • Instruction ID: 3b5308f690dad2c53449f95f0264309e65f7377e9c1c459b4f40926066c3cff7
                                                                                                                            • Opcode Fuzzy Hash: 7267a21634c2a4e8d76c371e85834913549070e87073b13f6315e5924caa0a54
                                                                                                                            • Instruction Fuzzy Hash: E3F0893160C80B1EF678A20D9499771E6D9EF993F9F150176E45EC21D3EA497C838254
                                                                                                                            Function 00007FF848F45BE9 Relevance: .0, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d10a5bfd8147903753e733f428c026129193bd09966c8f68ff60bfb5b91184e1
                                                                                                                            • Instruction ID: 8a69e61fbebce055fedcd06ce6a1d8b8b85b4c4d271bd871cdad52fa6025d5d8
                                                                                                                            • Opcode Fuzzy Hash: d10a5bfd8147903753e733f428c026129193bd09966c8f68ff60bfb5b91184e1
                                                                                                                            • Instruction Fuzzy Hash: 65016D3081D78E4FDB45EF2888541AA7FB0FF69200F4404ABD459D61A2DA7959548741
                                                                                                                            Function 00007FF848F458F2 Relevance: .0, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 926ac000e3408ed66737269c40709835ba0aed7b7f2287c8126be93c243ec8b2
                                                                                                                            • Instruction ID: 98497353838d24ba8fe52300e284ec459f842c473e905288e4f9c24384f6f8e4
                                                                                                                            • Opcode Fuzzy Hash: 926ac000e3408ed66737269c40709835ba0aed7b7f2287c8126be93c243ec8b2
                                                                                                                            • Instruction Fuzzy Hash: 92F02427D1D89A1DF220733C25841F94B81EBF9BF5F180ABBC00CE61C3D90868075298
                                                                                                                            Function 00007FF848F56413 Relevance: .0, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8064d90c05a95a9ed0eada806d0efe36970efa472765e6453b42f5590e7068df
                                                                                                                            • Instruction ID: f097dc7cf4d01a64f34ccc694587e7164c638c309cdbe3d4925e3824b2c48d6c
                                                                                                                            • Opcode Fuzzy Hash: 8064d90c05a95a9ed0eada806d0efe36970efa472765e6453b42f5590e7068df
                                                                                                                            • Instruction Fuzzy Hash: DCF0DA71A2CB088B9B04AE4CBC434A977D0EB99B60F50116BF94A43241D625B8928AC7
                                                                                                                            Function 00007FF848F5BE9B Relevance: .0, Instructions: 40COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4535895778dae0fe09b05be1f5a6709f37db45c8f8ed95ccca1096de455d2e79
                                                                                                                            • Instruction ID: 7d0bee967b693caf4a763cc851a21f6cb29af10823585e9228c229f475f5835b
                                                                                                                            • Opcode Fuzzy Hash: 4535895778dae0fe09b05be1f5a6709f37db45c8f8ed95ccca1096de455d2e79
                                                                                                                            • Instruction Fuzzy Hash: 95F03072B1DA1D4FE248BB1C64021B9B3C2EB89960F14416FC48FC7297DE16690B4399
                                                                                                                            Function 00007FF848F4DF92 Relevance: .0, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 237798673a9b8f4221f7cc5d99d37c217d86f5bcd668b0e9919474d5ff6feb28
                                                                                                                            • Instruction ID: bed8dd3e05f8e2d00f82c839e2130c8b799eef6a66705ff53227c662a8925198
                                                                                                                            • Opcode Fuzzy Hash: 237798673a9b8f4221f7cc5d99d37c217d86f5bcd668b0e9919474d5ff6feb28
                                                                                                                            • Instruction Fuzzy Hash: E0F0A96090E7C00FE70BA7384859621BFE1EFA7254B0D81EBC088DF0A3CA2C854AC312
                                                                                                                            Function 00007FF848F48AE8 Relevance: .0, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5aeab97117b5e284ccd463b2203a2df7cf3c83e292bbcb1fb64714729b0bf524
                                                                                                                            • Instruction ID: 0492481481af01d9a0d15328118aa1dc747d025f88d7a89aedcc6ecf8a1f7369
                                                                                                                            • Opcode Fuzzy Hash: 5aeab97117b5e284ccd463b2203a2df7cf3c83e292bbcb1fb64714729b0bf524
                                                                                                                            • Instruction Fuzzy Hash: 6BF0E531A1DD0D1EE6A8B32C64456BA72E1EBE4B90F90063BD40EE32C5DE6D68424385
                                                                                                                            Function 00007FF848F4B902 Relevance: .0, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0ea94af2eacd1f35c162ae877a5a4f439250241285a9ba78cf8a480d8b63785e
                                                                                                                            • Instruction ID: d449c12b69a8fda78cf4253905d470eba285eb8dc6318d5cd92ee9d4ab353b87
                                                                                                                            • Opcode Fuzzy Hash: 0ea94af2eacd1f35c162ae877a5a4f439250241285a9ba78cf8a480d8b63785e
                                                                                                                            • Instruction Fuzzy Hash: 85F0C23051DACA0FD316AB7898546A07BE0AF56350B4D41FBD488CB2E3DA1DA8968355
                                                                                                                            Function 00007FF848F451FE Relevance: .0, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 657e0642e2f2c065c98b75f9f11fbdbe9bb8fa120defb8da4112badc59fad339
                                                                                                                            • Instruction ID: 5e08318802d595539e63e5361e374d2460949f5f1d59d9bf4bedaea0c0598c1a
                                                                                                                            • Opcode Fuzzy Hash: 657e0642e2f2c065c98b75f9f11fbdbe9bb8fa120defb8da4112badc59fad339
                                                                                                                            • Instruction Fuzzy Hash: 0CF02E21A0EDC74FD744F72864819B9BB91EF74640B0404BFC00DD71D7DE2CAA868714
                                                                                                                            Function 00007FF848F404C0 Relevance: .0, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bd29d8ba1f39dd7d139c08b964b7104e00039e350fc97348978855fb81fbd97e
                                                                                                                            • Instruction ID: bd09cba395d0819f1adb18e77f9aa494f050c79ef0d063f87d555cad53a39913
                                                                                                                            • Opcode Fuzzy Hash: bd29d8ba1f39dd7d139c08b964b7104e00039e350fc97348978855fb81fbd97e
                                                                                                                            • Instruction Fuzzy Hash: 94E0D811A1E47919FA64726C74513F97740CF46368F4901B3D48CD61C7DD4E1C4502DA
                                                                                                                            Function 00007FF848F492C5 Relevance: .0, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1063c91a454afb8618149cd03ba564511f4ea07983fb80eb54188ad0bc8716a5
                                                                                                                            • Instruction ID: c1d833ce0254eca26cbab69f13f0c7c61e190ca5e9d46be4c8c73d1fc0a70fdc
                                                                                                                            • Opcode Fuzzy Hash: 1063c91a454afb8618149cd03ba564511f4ea07983fb80eb54188ad0bc8716a5
                                                                                                                            • Instruction Fuzzy Hash: 80E02B7291D3C10FF756E73548461A87FC1BF65650F4802FBC188CA0E3EB1C99458216
                                                                                                                            Function 00007FF848F458FA Relevance: .0, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f5ac3e610b8c31bf637b7d09295e126c6e72dc79ce6bb72bb8f5107147771cc0
                                                                                                                            • Instruction ID: ecb1e7ccc1018d1a9d92090f8aba27438855dd1b097ba27f2a10c6fc81cfaa9f
                                                                                                                            • Opcode Fuzzy Hash: f5ac3e610b8c31bf637b7d09295e126c6e72dc79ce6bb72bb8f5107147771cc0
                                                                                                                            • Instruction Fuzzy Hash: 3AE09232D1D88A1EF261B32805491794A81EFB9AB4F6805FBC44CE31C6D9192C469298
                                                                                                                            Function 00007FF848F41614 Relevance: .0, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 026b8f1ef5e65e853870322ce6641cdf75dc444d694cd89695187d5c2f8d9d07
                                                                                                                            • Instruction ID: d352adf488cd6a20b219ecb90efce772007ce2c7a74b40f3682b239f57c5596a
                                                                                                                            • Opcode Fuzzy Hash: 026b8f1ef5e65e853870322ce6641cdf75dc444d694cd89695187d5c2f8d9d07
                                                                                                                            • Instruction Fuzzy Hash: 2EE07D32D0CD4C4FCB80FB98F8014D67BA0FBC5308F0400AAE44CC3182D2219411C351
                                                                                                                            Function 00007FF848F404C8 Relevance: .0, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7a405f30afdd305afcf985901b4afbce78be9269ba36b1474421eca1777d1f2c
                                                                                                                            • Instruction ID: a459afc5897da0327e9785df9f138fe5aa399c893a3252b99a1193962b6fb388
                                                                                                                            • Opcode Fuzzy Hash: 7a405f30afdd305afcf985901b4afbce78be9269ba36b1474421eca1777d1f2c
                                                                                                                            • Instruction Fuzzy Hash: 4DE0CD2192E47615FAA4726C70513F96380CF09368F4411B3E48CD61C7DD4D2C8101D9
                                                                                                                            Function 00007FF848F55381 Relevance: .0, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                            • Instruction ID: 5b0e6908d5a12d2b7017afe4a0661759c0d27a2ba12164b1d29dcfa79f936280
                                                                                                                            • Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                            • Instruction Fuzzy Hash: A7E0D83260C4054FE718FB04D4905F47392EB95360F20463BC406C62D2DE6CF4418344
                                                                                                                            Function 00007FF848F5FD40 Relevance: .0, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 431d123475054d0202908a6f867d7bcf09dd67613cc1599c76041faf062a24d3
                                                                                                                            • Instruction ID: aa9d948b3dcb802e4b486da716735c244ac21176ec7c557e999ba393c210f536
                                                                                                                            • Opcode Fuzzy Hash: 431d123475054d0202908a6f867d7bcf09dd67613cc1599c76041faf062a24d3
                                                                                                                            • Instruction Fuzzy Hash: 92E06DB041D7D00EE70AA73448251A5BFA0AF53354F8805EED4C9CB0E3C66C8149C342
                                                                                                                            Function 00007FF848F445A0 Relevance: .0, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 950f53dea43edad98cefe657cecc5ba5e176e6a37f84c306a60cad4b385e27c1
                                                                                                                            • Instruction ID: f094818b89aa285c40f7ba433288ae19249c0cfb1b9ff19caeaf5a9297bcd775
                                                                                                                            • Opcode Fuzzy Hash: 950f53dea43edad98cefe657cecc5ba5e176e6a37f84c306a60cad4b385e27c1
                                                                                                                            • Instruction Fuzzy Hash: E6E08671A0DC394FDAB4EB1C544466477D1FF29780B0500E6D04DDB1D6C6105D4843C1
                                                                                                                            Function 00007FF848F44260 Relevance: .0, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                            • Instruction ID: 02e34b6d00d37030b9b9e17afd128f974ef12578fd4a71062af4aec8c3980143
                                                                                                                            • Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                            • Instruction Fuzzy Hash: 4DD01221E1FC1A1AD0B4732C34156690085DBE8AA4F850373E80CF22C9DD189D4102D8
                                                                                                                            Function 00007FF848F5F189 Relevance: .0, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a1b2a9bf81c6b4aa5b9ac10b851ce088b9ac157736f59f35e08f0330822f748d
                                                                                                                            • Instruction ID: 66ff9ad7a1dcf35774fc3ae4c9561b2bad381b4219d4615f762b860867d3c35b
                                                                                                                            • Opcode Fuzzy Hash: a1b2a9bf81c6b4aa5b9ac10b851ce088b9ac157736f59f35e08f0330822f748d
                                                                                                                            • Instruction Fuzzy Hash: 9DE0D82190D7E50FE766A36819652A47FA0CF17210F0A10EBC448DB2D7E94D5C494392
                                                                                                                            Function 00007FF848F48150 Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 283f9a715946f5c97e085a226703172510a63666a63134bc3a7e1142352d3e05
                                                                                                                            • Instruction ID: 75c56fcab15640a440d3e173cc4fd0e1fa787efd0fa37275d71a49f9e1394587
                                                                                                                            • Opcode Fuzzy Hash: 283f9a715946f5c97e085a226703172510a63666a63134bc3a7e1142352d3e05
                                                                                                                            • Instruction Fuzzy Hash: 6FE0C235E2DC0A0BEACCB6298C520203191EBE9604FE400AAC80DC22C2F91AC8868305
                                                                                                                            Function 00007FF848F45950 Relevance: .0, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 33bb4463c6c4cc53378986f62a752d0ab79895e1bd3a3510f688d21ae28f8221
                                                                                                                            • Instruction ID: 0acb6bc5385a14c772e5da3aca92caa1529dd37fe80a554313e8ddefdcff0d6f
                                                                                                                            • Opcode Fuzzy Hash: 33bb4463c6c4cc53378986f62a752d0ab79895e1bd3a3510f688d21ae28f8221
                                                                                                                            • Instruction Fuzzy Hash: BBD0C222C0D8851FF360B338050A1394AC2EFA4AA0F6805FAD80CE31C6DC296C06A288
                                                                                                                            Function 00007FF848F459D0 Relevance: .0, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                            • Instruction ID: 16eb978d2de8ef46a73f13a3d64116754dcfa9a18ca0551c980998ed841fef00
                                                                                                                            • Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                            • Instruction Fuzzy Hash: 29E0C230A1CA464BE704FB324C4507AB1D1BB98681FC44A37DD8CD00E0FB2CD3C5924A
                                                                                                                            Function 00007FF848F4EE20 Relevance: .0, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: daaf73fc8863fbea258929a33fbfcb5cce15e0ba4a1d644a436f3d34a484fcc7
                                                                                                                            • Instruction ID: bf4275550d447b8f09c1f72f53ac974097ec341ff658c8b287d00928fc30654c
                                                                                                                            • Opcode Fuzzy Hash: daaf73fc8863fbea258929a33fbfcb5cce15e0ba4a1d644a436f3d34a484fcc7
                                                                                                                            • Instruction Fuzzy Hash: 39E01220D1AA894FFB45B75C498555037B09F1A380FC80092D85CDB2A3D24E99898B22
                                                                                                                            Function 00007FF848F5BCD8 Relevance: .0, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4f5fc8110d7905c32a5e43ecb1ebb8839ca9c52910d06ce3e45067212ba91736
                                                                                                                            • Instruction ID: 510973a135b516540f8a9a92cac93ef6621ea43f7a396a0b76250ae40cdfa660
                                                                                                                            • Opcode Fuzzy Hash: 4f5fc8110d7905c32a5e43ecb1ebb8839ca9c52910d06ce3e45067212ba91736
                                                                                                                            • Instruction Fuzzy Hash: D4E0865191E9CA4FD786A73D48693746F81AF26150F9C42FAC648C72D3EE08D4448349
                                                                                                                            Function 00007FF848F459E0 Relevance: .0, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                            • Instruction ID: 84eebb56153cfaf61dd9cd6ac56cee80dea1d6574dd88f39b25588e958040ee0
                                                                                                                            • Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                            • Instruction Fuzzy Hash: C8D05B3092CD150AEB50B73861097F567D0CB64755F040777EC4DF71E4EE59598142D9
                                                                                                                            Function 00007FF848F404D8 Relevance: .0, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4971136117eef313e36777c45d71e9cf3cc68d065bbc89ba0e35aec0c603670c
                                                                                                                            • Instruction ID: eb5769dfeda67db7c4e2c5f46d0e0023cc1f0dd0f7dfb539945fb5b0fecfbb11
                                                                                                                            • Opcode Fuzzy Hash: 4971136117eef313e36777c45d71e9cf3cc68d065bbc89ba0e35aec0c603670c
                                                                                                                            • Instruction Fuzzy Hash: FDD0C731A5D87A19FA68726C65513F89181CF49750F5110B6E84DE31CBDD9D1C9202D5
                                                                                                                            Function 00007FF848F5B81B Relevance: .0, Instructions: 17COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3a394e950b25035dc8629c7be66b84009297d9241a72f6c8817db5970dcc6f00
                                                                                                                            • Instruction ID: 329f5c06a18b40477c19e7f8a24302ae811c5f7de4f99e29c162287144fbc77a
                                                                                                                            • Opcode Fuzzy Hash: 3a394e950b25035dc8629c7be66b84009297d9241a72f6c8817db5970dcc6f00
                                                                                                                            • Instruction Fuzzy Hash: 22D0C731B1AE190BD565A67C64411ABA2E1FB94270B504B76D05AC32C9EF2D95474341
                                                                                                                            Function 00007FF848F43B59 Relevance: .0, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: efe15566714f3ff3b18f3cb647ca1879ca4e9fe97d80a0ac485e1fa52d5597b6
                                                                                                                            • Instruction ID: 47e8b69d378f0d507573c1a73efb1e3b0b6f4fb05713aa884ff3c18d37ba2b34
                                                                                                                            • Opcode Fuzzy Hash: efe15566714f3ff3b18f3cb647ca1879ca4e9fe97d80a0ac485e1fa52d5597b6
                                                                                                                            • Instruction Fuzzy Hash: 8EC08C32F0880C8E8F80FB8CA001AECB7F0EB5C221F041033C108F3150CF2024444790

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00007FF848F44928 Relevance: 7.1, Strings: 5, Instructions: 875COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$HAH$HAH$HAH
                                                                                                                            • API String ID: 0-3303410093
                                                                                                                            • Opcode ID: f85073019818ee2e405eba892e5ee55384924db979bd08f1442decd021859453
                                                                                                                            • Instruction ID: cb85e033572b16e75f86f4d7a8feb3353f61885b29023de6fd30f34c05ca30f4
                                                                                                                            • Opcode Fuzzy Hash: f85073019818ee2e405eba892e5ee55384924db979bd08f1442decd021859453
                                                                                                                            • Instruction Fuzzy Hash: 0E420430A2CA4A8FE799EB2C9455679B7E1FF99780F4404BAD04DC72D3DF28AC428745
                                                                                                                            Function 00007FF848F46748 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HAH$HAH$aQ_H$J_H
                                                                                                                            • API String ID: 0-273194917
                                                                                                                            • Opcode ID: ea0e488ef2b37c10a307d1151d58ae9f2b100e5350045dc7621ce4a55fbf6276
                                                                                                                            • Instruction ID: 8c7d58391d5d0fa2ed567fa723d3f3a68ecc81f5d1f5bda09ebb7623f8fdf58f
                                                                                                                            • Opcode Fuzzy Hash: ea0e488ef2b37c10a307d1151d58ae9f2b100e5350045dc7621ce4a55fbf6276
                                                                                                                            • Instruction Fuzzy Hash: 56E15631B0DA5A0FE799EB2C98406B1B7E1FFA5390F1841BAC44EC76D7CE19AC468340
                                                                                                                            Function 00007FF848F485FA Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: K_^$K_^$K_^#$K_^$
                                                                                                                            • API String ID: 0-2382080200
                                                                                                                            • Opcode ID: 04fe490377837eb948adc7e72221758a828c9308221b8775597300f5cb8baa44
                                                                                                                            • Instruction ID: fb85abc26bbb5982f9b7d5acea26daae3fb474d5eeda32718730773a86e5d3bb
                                                                                                                            • Opcode Fuzzy Hash: 04fe490377837eb948adc7e72221758a828c9308221b8775597300f5cb8baa44
                                                                                                                            • Instruction Fuzzy Hash: B531E472C3D6525EEAA77B1964440E5A7A0AF317A8F8906F7C07CA60C3FE183C055699
                                                                                                                            Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: K_^$K_^$K_^$K_^
                                                                                                                            • API String ID: 0-4267328068
                                                                                                                            • Opcode ID: 728a2c97fe98ccd3c65aa874bfb052a3dbe119a41d397a0074cb598e6bb5d4b5
                                                                                                                            • Instruction ID: 9bf1616f600c5b397c7ede39a70e517e8be5f0a2449150c9570fe1abb2042810
                                                                                                                            • Opcode Fuzzy Hash: 728a2c97fe98ccd3c65aa874bfb052a3dbe119a41d397a0074cb598e6bb5d4b5
                                                                                                                            • Instruction Fuzzy Hash: 5121D0B391D5C65FE7465B2D489E0A17BF0FF31758B8E01FAC488DB193FE19A8468209
                                                                                                                            Function 00007FF848F48BF8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2548303521.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7ff848f40000_BootstrapperV1.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: K_^$K_^$K_^$K_^
                                                                                                                            • API String ID: 0-4267328068
                                                                                                                            • Opcode ID: 664481126ca4efbb3f7df180f824cefaeabe0b8fa18f46a8cc32c3b447f778b7
                                                                                                                            • Instruction ID: 4a97731d4e32498d58d596886bef7e47bdc5ae7f4aaddedefac28f4ac90a4c9e
                                                                                                                            • Opcode Fuzzy Hash: 664481126ca4efbb3f7df180f824cefaeabe0b8fa18f46a8cc32c3b447f778b7
                                                                                                                            • Instruction Fuzzy Hash: D921ADB391D5C65FE7466B2D485E0A17BF0FF21758B8E01FAC488DB193FE19A8468209

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:22%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:3
                                                                                                                            Total number of Limit Nodes:0
                                                                                                                            execution_graph 4280 7ff848f21283 4281 7ff848f21287 RtlSetProcessIsCritical 4280->4281 4283 7ff848f22a72 4281->4283

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F2298D Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 162 7ff848f2298d-7ff848f22a70 RtlSetProcessIsCritical 166 7ff848f22a78-7ff848f22aad 162->166 167 7ff848f22a72 162->167 167->166
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.4507898536.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_7ff848f20000_XClient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2695349919-0
                                                                                                                            • Opcode ID: 7f277299ccb4dd7fc865feaff3c7d6aed191e55fcfb7320bb9ed1831023d238b
                                                                                                                            • Instruction ID: 9e263a5897fd22a6dad8f56ba0539e039f2755a8ca2902d8cce509f2e4f287c5
                                                                                                                            • Opcode Fuzzy Hash: 7f277299ccb4dd7fc865feaff3c7d6aed191e55fcfb7320bb9ed1831023d238b
                                                                                                                            • Instruction Fuzzy Hash: 3541B13180C6588FD719DFA8D845BE9BBF0FF56311F04416EE08AD3692DB786846CB91
                                                                                                                            Function 00007FF848F21283 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 169 7ff848f21283-7ff848f22a0a 173 7ff848f22a12-7ff848f22a70 RtlSetProcessIsCritical 169->173 174 7ff848f22a78-7ff848f22aad 173->174 175 7ff848f22a72 173->175 175->174
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.4507898536.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_7ff848f20000_XClient.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2695349919-0
                                                                                                                            • Opcode ID: 620d91515578078bf5ec157ab8d365e516f50c23cadcb2b89a09067fecc83675
                                                                                                                            • Instruction ID: f1bc0a368a477a7aa6c432375c81c97bf36467992dd2824de84750c043e815dc
                                                                                                                            • Opcode Fuzzy Hash: 620d91515578078bf5ec157ab8d365e516f50c23cadcb2b89a09067fecc83675
                                                                                                                            • Instruction Fuzzy Hash: 3431D23180CA588FDB28EF9CD8456F9BBF0FF55311F04012EE09AD3692DB7468468B95

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F31689 Relevance: .7, Instructions: 653COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e9a033a4b16dbeebf45fdd9f7815d7954f76e6998c439fe26761626058657f50
                                                                                                                            • Instruction ID: b43efbd9b8d29f2d5ab6efaef0415d14adfad528bd30eec26233843022a10922
                                                                                                                            • Opcode Fuzzy Hash: e9a033a4b16dbeebf45fdd9f7815d7954f76e6998c439fe26761626058657f50
                                                                                                                            • Instruction Fuzzy Hash: 6612A330B2DA495FEB98F73C84596B977E2FF98780F44057AE44EC32C6DE28A8418745
                                                                                                                            Function 00007FF848F31FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2c55d3504e8daf9e1fd6ebcc560b47e3829682e5cb44721447de164bdd8fcda0
                                                                                                                            • Instruction ID: d334e966b0ad073e506a4a604a3b279b18c4914e964059f6c38448c67496a2aa
                                                                                                                            • Opcode Fuzzy Hash: 2c55d3504e8daf9e1fd6ebcc560b47e3829682e5cb44721447de164bdd8fcda0
                                                                                                                            • Instruction Fuzzy Hash: 92512020A1E6C91FD786AB785864275BFE1EF97256F0800FBE08DC72D7DE18484AC346
                                                                                                                            Function 00007FF848F31125 Relevance: .6, Instructions: 635COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 399281757c5de80d630875042efa1ac3ccbfe0856a27bd8d431db1c78e8ec6af
                                                                                                                            • Instruction ID: 6db9d61946299ffe104c284cd48523e080c27f73ca322adcb1fb046da6b68fe5
                                                                                                                            • Opcode Fuzzy Hash: 399281757c5de80d630875042efa1ac3ccbfe0856a27bd8d431db1c78e8ec6af
                                                                                                                            • Instruction Fuzzy Hash: 4D519332D0E69A8FD746FB78A8A50E97FB0FF56250F0402B7D049DB1E3DE18284A8755
                                                                                                                            Function 00007FF848F31150 Relevance: .6, Instructions: 611COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c288626ce7d0032f86f4c0ea70e877914e01849344bfe5eaa3391550de7b9afe
                                                                                                                            • Instruction ID: 7198edf09b2a4b1c3919c8b024d754ff6cae9de992779db5315e088fe6a31979
                                                                                                                            • Opcode Fuzzy Hash: c288626ce7d0032f86f4c0ea70e877914e01849344bfe5eaa3391550de7b9afe
                                                                                                                            • Instruction Fuzzy Hash: F9418432D0E68A8FD746F768A8A60F97FB0FF56250F4402B7D049DB1D3DE18184A8355
                                                                                                                            Function 00007FF848F31120 Relevance: .2, Instructions: 234COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2f530b2adeb9afc5f66b1f4923b99e0c01ac8ff19094a0d0f7cd9f863c184ca1
                                                                                                                            • Instruction ID: d7c1df21c2e74b3edb85c464977bcbf5581cc01cfa8886a65c7c4706017b4526
                                                                                                                            • Opcode Fuzzy Hash: 2f530b2adeb9afc5f66b1f4923b99e0c01ac8ff19094a0d0f7cd9f863c184ca1
                                                                                                                            • Instruction Fuzzy Hash: C9716330B2991A5FEB88F77894697B967E2FF88340F540479E44EC33C6EE2CA8418754
                                                                                                                            Function 00007FF848F30BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2c910194eee58516965e73317dbdca530dd9a0a9a4d6213f6dc530ba663686dd
                                                                                                                            • Instruction ID: 560e729c11566f14ea4e6eb192f2ffccaafc24d543cea4494233af8aa9fb838b
                                                                                                                            • Opcode Fuzzy Hash: 2c910194eee58516965e73317dbdca530dd9a0a9a4d6213f6dc530ba663686dd
                                                                                                                            • Instruction Fuzzy Hash: 2E510830A1E6861FE356B73898156757BE2EF876A0B0900FBD48DC7197DD1C9C468352
                                                                                                                            Function 00007FF848F30528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 497eade82308463ed26807686ea861c19bd32a67287e6f682abe8581548def4d
                                                                                                                            • Instruction ID: 322c04ac33a5f51099ad66879ce67cd8984c9bd515b689dd4dea2d399d7efd45
                                                                                                                            • Opcode Fuzzy Hash: 497eade82308463ed26807686ea861c19bd32a67287e6f682abe8581548def4d
                                                                                                                            • Instruction Fuzzy Hash: 0B31D231B1D9491FE688FB6C985A379A6C2EB98751F1405BEE00EC32D7DE289C468345
                                                                                                                            Function 00007FF848F30A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2bbccbc33c896268351eb698d02a92c0259ccad0637003cdc9571aa6d1a0efc5
                                                                                                                            • Instruction ID: ec6eef5d74b4d12e4e9e3a0d1ce578942038b154e90545dcb0794b92f3cd97a1
                                                                                                                            • Opcode Fuzzy Hash: 2bbccbc33c896268351eb698d02a92c0259ccad0637003cdc9571aa6d1a0efc5
                                                                                                                            • Instruction Fuzzy Hash: 87318021F2D94A5FEB84BBB898593B9B7D2EF98795F040277E40DC32C3DE1858018792
                                                                                                                            Function 00007FF848F30949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fc5ab68a5a5bc22ca20bd1235ab0a63dbc667968460bc4625366a6d29b01f024
                                                                                                                            • Instruction ID: 81f0f566224c56688a83d37e2104803a372837ff566ed25ee52022b69809c8e2
                                                                                                                            • Opcode Fuzzy Hash: fc5ab68a5a5bc22ca20bd1235ab0a63dbc667968460bc4625366a6d29b01f024
                                                                                                                            • Instruction Fuzzy Hash: 50317330A1AA0A9FEB44FB6884556FA7BB1FF98340F500576D409D3386DE3CA9418754
                                                                                                                            Function 00007FF848F32171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.2152219871.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2cf762638f5e1add461a5873d4ac651a478c1168e5a35fcc3a746f1c8223344a
                                                                                                                            • Instruction ID: f662c7d26c9c9fd44682cad1fd8fa1ba3135e34d84733105e578052f12ffed36
                                                                                                                            • Opcode Fuzzy Hash: 2cf762638f5e1add461a5873d4ac651a478c1168e5a35fcc3a746f1c8223344a
                                                                                                                            • Instruction Fuzzy Hash: CD012675D0DB854FE786B73818A1072BFF0EF95681F4804ABE888C21D7EA186A458356

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F01689 Relevance: .7, Instructions: 656COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 40b0a24d56e48b97952393e49d57c0eb0e7bd443b0a87e1891ff4441c5c7bbf7
                                                                                                                            • Instruction ID: 8c95298251d962d20aadf85f46eaacbafc045d5e0c465c350daea846879dbb3f
                                                                                                                            • Opcode Fuzzy Hash: 40b0a24d56e48b97952393e49d57c0eb0e7bd443b0a87e1891ff4441c5c7bbf7
                                                                                                                            • Instruction Fuzzy Hash: B612A330B2DA0A5FE798FB7894597B9B7E2FF99740F440579D40EC32C2EE28A8418745
                                                                                                                            Function 00007FF848F01FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 136d5f19809a6ac3f053dbe8df542286563b753bc27cad5105b4524231165bb4
                                                                                                                            • Instruction ID: d337e7a3c6d12509e3cbc447020afcb826721aa84e15d8a21ccf602ce75fbe40
                                                                                                                            • Opcode Fuzzy Hash: 136d5f19809a6ac3f053dbe8df542286563b753bc27cad5105b4524231165bb4
                                                                                                                            • Instruction Fuzzy Hash: DE515220A1E6C91FD786AB785864276BFD1EF97255F1800FBE08DC72D3EE184806C316
                                                                                                                            Function 00007FF848F01125 Relevance: .6, Instructions: 589COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bc43e88fd6641277816906017287ac351d2e5ebcc016031f0f47e49ea60b8da3
                                                                                                                            • Instruction ID: 31a192341165bcd09dd4db904d60a4f2003ba927a24060c7f9ab7ba5fa1b11aa
                                                                                                                            • Opcode Fuzzy Hash: bc43e88fd6641277816906017287ac351d2e5ebcc016031f0f47e49ea60b8da3
                                                                                                                            • Instruction Fuzzy Hash: E6316E3290E7968FE746EB78A8A50E53FB0EF47654B0901F7C084CF1E3EA18184A8365
                                                                                                                            Function 00007FF848F01150 Relevance: .6, Instructions: 565COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bdb2c3c6bc70e2d84c82ffb451d1e857c0a4912235abb388c704b13b32192ab2
                                                                                                                            • Instruction ID: 84fdc08ed0875853dd0ebf0c5f83c5d65edc2faf44bf23c3e1b07a2f30cf923c
                                                                                                                            • Opcode Fuzzy Hash: bdb2c3c6bc70e2d84c82ffb451d1e857c0a4912235abb388c704b13b32192ab2
                                                                                                                            • Instruction Fuzzy Hash: 5921713290E7D64FE756EB78A8A50E67F70EF43254B0901F7C084CF1E3DA18184A8366
                                                                                                                            Function 00007FF848F01120 Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9a0e501e59550e2dedf04b86d8158e153265eba28246dac49299c36801ae9d91
                                                                                                                            • Instruction ID: c9112baf681dc0533be9428d23405c83c8322dba2dc2be134a2da3d395e87382
                                                                                                                            • Opcode Fuzzy Hash: 9a0e501e59550e2dedf04b86d8158e153265eba28246dac49299c36801ae9d91
                                                                                                                            • Instruction Fuzzy Hash: EB718430B2991A5FEB98F778946977976E2FF89340F940478E40EC33C6EE2C68418754
                                                                                                                            Function 00007FF848F00BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d09f2d30d28ed74595bd35c56da4556441f9b4b03aaf90f7d7fdefd8a7611cf1
                                                                                                                            • Instruction ID: b2163be058e1aeb9b85b902fafab7bf570afc42683c5e98dd1d5eb60d9f54906
                                                                                                                            • Opcode Fuzzy Hash: d09f2d30d28ed74595bd35c56da4556441f9b4b03aaf90f7d7fdefd8a7611cf1
                                                                                                                            • Instruction Fuzzy Hash: 85512630A0E68A1FE356B73888166757BE2DF87664B0940FAD48DC7293DD1C9C468362
                                                                                                                            Function 00007FF848F00528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7021d94a3ef21f8bbc59276c63ba7dcf30087873d36dbe3cf65e5cfd1b72cd87
                                                                                                                            • Instruction ID: 4bfc1b517085cec4f48a3ea5760dd183edf90ea4921cceb375bfe99f8e5a65f8
                                                                                                                            • Opcode Fuzzy Hash: 7021d94a3ef21f8bbc59276c63ba7dcf30087873d36dbe3cf65e5cfd1b72cd87
                                                                                                                            • Instruction Fuzzy Hash: F6310131F1D9091FE688FB6C985A379A6C2EFA9745F1405BEE00EC32D7DE289C428344
                                                                                                                            Function 00007FF848F00A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ecd21bff0eca72c7839c6a2fb8c4c649cf6b3642d62b09c67b70f0d15eddbe83
                                                                                                                            • Instruction ID: 0fc31ef96ceb430097a066f5958a5caea3e1c8a1d07cf535fd0a7f0094279383
                                                                                                                            • Opcode Fuzzy Hash: ecd21bff0eca72c7839c6a2fb8c4c649cf6b3642d62b09c67b70f0d15eddbe83
                                                                                                                            • Instruction Fuzzy Hash: B031B021F2D94A5FE784BBB898593B967D2EF99785F140276E40DC32C3EE1C98018352
                                                                                                                            Function 00007FF848F00949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0e5a7612492adceea2d6ec65c80a4301ccee15a83fa68f7b7cf3c07a0e5ce0e0
                                                                                                                            • Instruction ID: fe9cf2bacdbf6bbd6d23a0ff7c72b32a3fb8356ce5cd9ec3df920319cccd83b6
                                                                                                                            • Opcode Fuzzy Hash: 0e5a7612492adceea2d6ec65c80a4301ccee15a83fa68f7b7cf3c07a0e5ce0e0
                                                                                                                            • Instruction Fuzzy Hash: 6F317030E19A0A9FEB44FBA884596EABBB2FF98340F940579D009D3386DE3C69418755
                                                                                                                            Function 00007FF848F02171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2212313587.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff848f00000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 42d4d6059afd88ad0826dcf1a08874e97b04462a30d74a711aa4194e4ed030d9
                                                                                                                            • Instruction ID: 9b2d1d043116d88e80999741ec6398d5eb352c603e495ed0c89ebb0da0e8e411
                                                                                                                            • Opcode Fuzzy Hash: 42d4d6059afd88ad0826dcf1a08874e97b04462a30d74a711aa4194e4ed030d9
                                                                                                                            • Instruction Fuzzy Hash: 42017674D0CB854FE346F7381865032BFE0DF92281F4804AFE888C21D3EA285A418362

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F11689 Relevance: .7, Instructions: 656COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1e55ec2845063409588fd87d5638175183192265fa6329847572c6a20ffb32d2
                                                                                                                            • Instruction ID: 542661023165d6ea5e53e80138fe0cae64697507a0aff71c07dc91e30b935d79
                                                                                                                            • Opcode Fuzzy Hash: 1e55ec2845063409588fd87d5638175183192265fa6329847572c6a20ffb32d2
                                                                                                                            • Instruction Fuzzy Hash: 5512B130A2DA5A5FE798FB2C84697B9BBD2FF98740F440579D40DC32C2DE28AC418745
                                                                                                                            Function 00007FF848F11FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fde5240ab8e868c3b902a5cdbd62e2cbcace7478f1195914899e73908b7f9b2b
                                                                                                                            • Instruction ID: 80eb224118fa2fb82bc4a3767b17cebcd1254b1437effaaaa54d0ec14a944d60
                                                                                                                            • Opcode Fuzzy Hash: fde5240ab8e868c3b902a5cdbd62e2cbcace7478f1195914899e73908b7f9b2b
                                                                                                                            • Instruction Fuzzy Hash: D4511E20A1E6C91FD786ABB85864275AFD1EF97255F0800FAE08DC71D3DE184C46C346
                                                                                                                            Function 00007FF848F11125 Relevance: .6, Instructions: 635COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 485a56faf4d6e33e8894597e34a17f164528dc52274cd69504d9306085100d22
                                                                                                                            • Instruction ID: a1c77a3f74a343eb6ed1a9742a4ae30ac92c9b81864e8dcb5db1b9e7b05fb610
                                                                                                                            • Opcode Fuzzy Hash: 485a56faf4d6e33e8894597e34a17f164528dc52274cd69504d9306085100d22
                                                                                                                            • Instruction Fuzzy Hash: 5D518132D0D69A8FE741E76CA8A51E9BFB0EF96350F0401B7C049DB1D3DE286C4A8765
                                                                                                                            Function 00007FF848F11150 Relevance: .6, Instructions: 611COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 680a4bbedbe6a751124ba4e1e5cf16b36c91213077c08797049fca7c3fcab745
                                                                                                                            • Instruction ID: eded179d7e5d09f9b8e96ac1038bae0755bd42b909ff6722e8ba43c730627dce
                                                                                                                            • Opcode Fuzzy Hash: 680a4bbedbe6a751124ba4e1e5cf16b36c91213077c08797049fca7c3fcab745
                                                                                                                            • Instruction Fuzzy Hash: FE419232D0DA9A4FD742E76CA8A51E9BFB1FF86250F4401B7C049DB1D3DE282C4A8365
                                                                                                                            Function 00007FF848F11120 Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a88fc4118fa4d476bcc7517244293b382e1782235d3f92161886f6635cc6c457
                                                                                                                            • Instruction ID: 49f7c6711b551bd68688126a789ef1eaf92023c3c3124f0b721c0b09734a7dc1
                                                                                                                            • Opcode Fuzzy Hash: a88fc4118fa4d476bcc7517244293b382e1782235d3f92161886f6635cc6c457
                                                                                                                            • Instruction Fuzzy Hash: 70712F70B2A91A5FEB94F77C94697796AE2FF88341F540478E40EC32C6DE2C6C418754
                                                                                                                            Function 00007FF848F10BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 825cff250b584ca3cbf3f894c7462eddc721ecb3363f540a942af0525eb4a381
                                                                                                                            • Instruction ID: b5a7128ad1bbbd363d830d87b00cc94a45d8b3b7d2218c51f9d56c84af8ecbde
                                                                                                                            • Opcode Fuzzy Hash: 825cff250b584ca3cbf3f894c7462eddc721ecb3363f540a942af0525eb4a381
                                                                                                                            • Instruction Fuzzy Hash: 11511530A1EAC61FE396B73898162757BE2EF86660B0900FAD48DC72D7DD1C9C468352
                                                                                                                            Function 00007FF848F10528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7ee465116616ea601b6105870a3aed392a9a1c9611299cc62384d1a418444938
                                                                                                                            • Instruction ID: cd7c8dd72afadb5c99066296470cb1da582a27dbeebb06b3d79539a39b5fbac5
                                                                                                                            • Opcode Fuzzy Hash: 7ee465116616ea601b6105870a3aed392a9a1c9611299cc62384d1a418444938
                                                                                                                            • Instruction Fuzzy Hash: E231E331F1D9491FE788FB6C985A379A6C2EBA8741F1405BEE00EC32D7DE289C418345
                                                                                                                            Function 00007FF848F10A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3e324597de37e35db67f7c5545e8afb318ef7f74fc3a802b467cf930c608edfa
                                                                                                                            • Instruction ID: d88f4616344bafa066423c2ebecaa2110125fd68705febc1601fe6dee186a536
                                                                                                                            • Opcode Fuzzy Hash: 3e324597de37e35db67f7c5545e8afb318ef7f74fc3a802b467cf930c608edfa
                                                                                                                            • Instruction Fuzzy Hash: 4D31A021F2D95A5FE784B77898593B966D2EFD8785F140276E40DC32C3DE1C6C018792
                                                                                                                            Function 00007FF848F10949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0dbe414979d5c49c2f6ca1df280db98cee4f8a75c6d2e00b7e463d3c5c38e8ae
                                                                                                                            • Instruction ID: a92b144ebdae9e1cf58d1a321e400f4b2e08d26b717d888bf0fedabcea87c072
                                                                                                                            • Opcode Fuzzy Hash: 0dbe414979d5c49c2f6ca1df280db98cee4f8a75c6d2e00b7e463d3c5c38e8ae
                                                                                                                            • Instruction Fuzzy Hash: 71319E30A1AA5A9FEB84FB6884656FA7BB2FF98341F500479D009D3386CE3D68418754
                                                                                                                            Function 00007FF848F12171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.2293036391.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_7ff848f10000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c112c19df7a28b48c1af79f1cf8f05a0f7a71780ad5450d049547bb1cc8b5ed8
                                                                                                                            • Instruction ID: 3ff4382bf57da9dc5eb37d042157862f32c3364b086d79229726c87c41edad31
                                                                                                                            • Opcode Fuzzy Hash: c112c19df7a28b48c1af79f1cf8f05a0f7a71780ad5450d049547bb1cc8b5ed8
                                                                                                                            • Instruction Fuzzy Hash: DB012675D0DB954FE385F7782861072BFE0DF95381F0804AFE888C61D7DA186E448352

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F31689 Relevance: .7, Instructions: 653COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 23089edb1ac96dd81776e6a0306bc50f62ddfc19d41bbd26695fc8cb18401142
                                                                                                                            • Instruction ID: 95c2cc2a118569c7318fa2de59b59a8d5f49c1b830ccbd2436ba6f08c2e205a2
                                                                                                                            • Opcode Fuzzy Hash: 23089edb1ac96dd81776e6a0306bc50f62ddfc19d41bbd26695fc8cb18401142
                                                                                                                            • Instruction Fuzzy Hash: 6A129430F2DA499FE798F73894596B977D2FF98780F44057AE40EC32C6DE28A8818745
                                                                                                                            Function 00007FF848F31FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5660def0f94a5d7432bb659d21b7d2df02622da201e5bcf7f3b8ba3b9da5bfc4
                                                                                                                            • Instruction ID: f243e4e58a33a9cb9865364413b3f34137ebfa8ea2f8afb2ae99d4e570920179
                                                                                                                            • Opcode Fuzzy Hash: 5660def0f94a5d7432bb659d21b7d2df02622da201e5bcf7f3b8ba3b9da5bfc4
                                                                                                                            • Instruction Fuzzy Hash: 6A513220A1E6C95FD786AB785864275BFE1EF97256F0800FBE08DC71D7DE18484AC346
                                                                                                                            Function 00007FF848F31125 Relevance: .6, Instructions: 635COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bb8bc3e510a20854a27940e4bddef6da4392e2ca2c076f2df586c492f536f51d
                                                                                                                            • Instruction ID: 4aeb4a62e7120a73f430a5c56b12e30a45d03bbae6006ff44347fe573248f1b2
                                                                                                                            • Opcode Fuzzy Hash: bb8bc3e510a20854a27940e4bddef6da4392e2ca2c076f2df586c492f536f51d
                                                                                                                            • Instruction Fuzzy Hash: 12519432D0E69A8FDB46FB78A8A50E97FB0FF46250F0402B7D049DB1D3DE18284A8755
                                                                                                                            Function 00007FF848F31150 Relevance: .6, Instructions: 611COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 15d91d9176928543d2b3c111f2daa95002dabbfc6685f9f7095f96126f427253
                                                                                                                            • Instruction ID: 037b6d38d3cff70cd57fdbd3ad9409cee5e05e5d7a4c49cdf1b0a3f86452b193
                                                                                                                            • Opcode Fuzzy Hash: 15d91d9176928543d2b3c111f2daa95002dabbfc6685f9f7095f96126f427253
                                                                                                                            • Instruction Fuzzy Hash: C1419432D0E68A8FDB46F768A8A50E97FB0FF46250F0402B7D049DB1E3DE1C284A8355
                                                                                                                            Function 00007FF848F31120 Relevance: .2, Instructions: 234COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a6e4ee3689cc8c1f6f9451191c7b55e9efcb134c3941bfeaacc928dc6394c426
                                                                                                                            • Instruction ID: abecd3b6ccc1dd62bea5032ab04c4fc085eb44b262482eafb137b546cd846789
                                                                                                                            • Opcode Fuzzy Hash: a6e4ee3689cc8c1f6f9451191c7b55e9efcb134c3941bfeaacc928dc6394c426
                                                                                                                            • Instruction Fuzzy Hash: E9715170B2991A9FEB94F77894697B976E2FF88340F940479E40EC33C6EE2C68418754
                                                                                                                            Function 00007FF848F30BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 96ea9a182d64bca334bde4693db380de4a69c3eb7b5cf00e121f56ac47fed63f
                                                                                                                            • Instruction ID: 5deb79fb20135c71123303d866105e05aca4bfd15ae7d6dfff100e5195121eb6
                                                                                                                            • Opcode Fuzzy Hash: 96ea9a182d64bca334bde4693db380de4a69c3eb7b5cf00e121f56ac47fed63f
                                                                                                                            • Instruction Fuzzy Hash: 3A510830A1E6861FE356B73898156757BE1EF876A0B0900FBD48DC7197DD1C5C468352
                                                                                                                            Function 00007FF848F30528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5ead856d8c14c87f70bfa3846255f6a2bb03b7407ead6e255719705d55c6ae82
                                                                                                                            • Instruction ID: fe4508ed7943a9e34b807795aed7bdffa21d1bd9a4ed2de5c56ffb2747ffa0da
                                                                                                                            • Opcode Fuzzy Hash: 5ead856d8c14c87f70bfa3846255f6a2bb03b7407ead6e255719705d55c6ae82
                                                                                                                            • Instruction Fuzzy Hash: 5631E331F1D9491FE688FB6C985A379B6C2EB98741F1405BEE00EC32D7DE289C458345
                                                                                                                            Function 00007FF848F30A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2bbccbc33c896268351eb698d02a92c0259ccad0637003cdc9571aa6d1a0efc5
                                                                                                                            • Instruction ID: ec6eef5d74b4d12e4e9e3a0d1ce578942038b154e90545dcb0794b92f3cd97a1
                                                                                                                            • Opcode Fuzzy Hash: 2bbccbc33c896268351eb698d02a92c0259ccad0637003cdc9571aa6d1a0efc5
                                                                                                                            • Instruction Fuzzy Hash: 87318021F2D94A5FEB84BBB898593B9B7D2EF98795F040277E40DC32C3DE1858018792
                                                                                                                            Function 00007FF848F30949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f2202cb5fedd7deef618656d6df919f9f456ade703ca0617a238402d31e86f7c
                                                                                                                            • Instruction ID: b826b5f574dfab1892a545e39bc075cd94dc4f42844be527b8215545729837fd
                                                                                                                            • Opcode Fuzzy Hash: f2202cb5fedd7deef618656d6df919f9f456ade703ca0617a238402d31e86f7c
                                                                                                                            • Instruction Fuzzy Hash: 24316070E1A60A9FEB44FB6884696FA7BB1FF98340F90457AD009D3286DE3C6941C754
                                                                                                                            Function 00007FF848F32171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.2688299111.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7ee339a8397282af0483ac0ee722a58d18fec84f6b04d5b5bc4bc2d5c3a57bba
                                                                                                                            • Instruction ID: 739d6e2565104b2e547d4dfa517b43dfecd6c0508a7a3f7086aad18f288641a1
                                                                                                                            • Opcode Fuzzy Hash: 7ee339a8397282af0483ac0ee722a58d18fec84f6b04d5b5bc4bc2d5c3a57bba
                                                                                                                            • Instruction Fuzzy Hash: 59012675D0DB854FE386B77818A5072BFF0DF95681F4804ABE888C21D7EA186A848356

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F21689 Relevance: .7, Instructions: 656COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c8f72ce81e2da248aab27631e6edd3d32baa984b608e736b40e9e0b64b0a2bc4
                                                                                                                            • Instruction ID: bb5b7ac1f29ac1f4da65094b986e92368dbdb48abc5d40ede1b92aa742d3d095
                                                                                                                            • Opcode Fuzzy Hash: c8f72ce81e2da248aab27631e6edd3d32baa984b608e736b40e9e0b64b0a2bc4
                                                                                                                            • Instruction Fuzzy Hash: 8712F431A2DA4A5FE798FB78946A7B977E2FF88340F440579D40DC32C2DE2DA8818345
                                                                                                                            Function 00007FF848F21FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 74a0f4e52a8ea3ab05ea904b48903dc9a8568cd7168357a30265ebf921c5a466
                                                                                                                            • Instruction ID: 9df071a09b36a6660c916aad6ac507a09e0a911e3cfa643d3df6d343f80ea2a8
                                                                                                                            • Opcode Fuzzy Hash: 74a0f4e52a8ea3ab05ea904b48903dc9a8568cd7168357a30265ebf921c5a466
                                                                                                                            • Instruction Fuzzy Hash: 98515220A1E6C91FD786ABB86824275BFD1EF97265F0804FBE08DC71D3CE184846C346
                                                                                                                            Function 00007FF848F21125 Relevance: .6, Instructions: 635COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 63d363ed60a27a504a58e7f1efb8af7d316c1e5427c1d61a587c2ce9e4b27ee7
                                                                                                                            • Instruction ID: d7be0e94a6d23168be8de2d20876de016f6c9841b320697a8376a6b288c5d71e
                                                                                                                            • Opcode Fuzzy Hash: 63d363ed60a27a504a58e7f1efb8af7d316c1e5427c1d61a587c2ce9e4b27ee7
                                                                                                                            • Instruction Fuzzy Hash: 27519432D0D69A4FD741E7BCA8A61E97FB0FF46250F0401B7C149DB1D3DE29284A8755
                                                                                                                            Function 00007FF848F21150 Relevance: .6, Instructions: 611COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 396e38a4b57c21caa91d67c2f430e7a8643cca2ac93df18fcd43411eac8ff746
                                                                                                                            • Instruction ID: 9dc7203c808ee3eda982108318db428785efc1259e70c575de15d5e996ddc2c6
                                                                                                                            • Opcode Fuzzy Hash: 396e38a4b57c21caa91d67c2f430e7a8643cca2ac93df18fcd43411eac8ff746
                                                                                                                            • Instruction Fuzzy Hash: 47418332D0D69A4FD742E7A8A8A61EA7FB0FF46250F4401B7C049DB1D3DE29284A8355
                                                                                                                            Function 00007FF848F21120 Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 29c88f4d776cc61104015bd06d5f5894c0665784edcbbe6158e3fa5b554013b9
                                                                                                                            • Instruction ID: 162388b9bbf2a60601025175cfc4920715a1315956c77623af15a949937fecc7
                                                                                                                            • Opcode Fuzzy Hash: 29c88f4d776cc61104015bd06d5f5894c0665784edcbbe6158e3fa5b554013b9
                                                                                                                            • Instruction Fuzzy Hash: 4B718130B2995A5FEB94F778946A7BD66E2FF88340F940538D40EC33C6DE2DA8418745
                                                                                                                            Function 00007FF848F20BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3114d1e6c3d6e4919625e9e9cba998f0957a0e1fbeaa8cfd35543d82014196b2
                                                                                                                            • Instruction ID: 83cfb2dc3bdef82c64816b94e6cb2854760a0c97823bbd26e85362d5e6c42bc5
                                                                                                                            • Opcode Fuzzy Hash: 3114d1e6c3d6e4919625e9e9cba998f0957a0e1fbeaa8cfd35543d82014196b2
                                                                                                                            • Instruction Fuzzy Hash: 84512631A0EAC61FE396B73898162757BE2EF87660B0900FAD48DC7297DD1C9C468352
                                                                                                                            Function 00007FF848F20528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4a91cf9f2ece1d62ac98aa29e4b7834778c9abcf8ebebaba8dc334522a2da2f4
                                                                                                                            • Instruction ID: 00fba5a865ec6c708199def5542bc12230aca7ba6734b56d0d67faa2dbaa32a2
                                                                                                                            • Opcode Fuzzy Hash: 4a91cf9f2ece1d62ac98aa29e4b7834778c9abcf8ebebaba8dc334522a2da2f4
                                                                                                                            • Instruction Fuzzy Hash: 8E31D231B1D9491FE688FB6C985A779A6C2EB98751F0405BEE00EC32D7DE289C428345
                                                                                                                            Function 00007FF848F20A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b9bd6b97eae03c65ecfbd791b1d3fa4d32f882376c11e185dbf9b7d76aa4ccea
                                                                                                                            • Instruction ID: 296e9a470c3b0a4f0aebd1656fb23e59175effae6ca54e94a20376c9b783552c
                                                                                                                            • Opcode Fuzzy Hash: b9bd6b97eae03c65ecfbd791b1d3fa4d32f882376c11e185dbf9b7d76aa4ccea
                                                                                                                            • Instruction Fuzzy Hash: 5431B321F2D9595FE744B7B8A8593B966D2FF98795F040176E40DC32C3DE1C58018792
                                                                                                                            Function 00007FF848F20949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d34882189d59308bc9315d32dd232d22622171939178ba9f575bc3af60c519d4
                                                                                                                            • Instruction ID: 3adb6554c0fb254dec19d0d226eb9ee7e6ac104726562068668a58c985bf6e3a
                                                                                                                            • Opcode Fuzzy Hash: d34882189d59308bc9315d32dd232d22622171939178ba9f575bc3af60c519d4
                                                                                                                            • Instruction Fuzzy Hash: 3631C230A1964A9FEB44FB6894696FA7BB2FF98300F500539D409D3386CE3D6845C790
                                                                                                                            Function 00007FF848F22171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.3290306639.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 39789ee35e251ac029ebddb9dd898864661077c35d377cb206cdb860e5af55cd
                                                                                                                            • Instruction ID: 03035785c37d05ffddc50b550c6eb196d708e577422e5cbe6c52107bddfc91aa
                                                                                                                            • Opcode Fuzzy Hash: 39789ee35e251ac029ebddb9dd898864661077c35d377cb206cdb860e5af55cd
                                                                                                                            • Instruction Fuzzy Hash: 07012675D0DB854FF345F7386865472BFE0DF95280F0808ABE888C61E7DA195A85C393

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F21689 Relevance: .7, Instructions: 656COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7be29ca3305264fca6338131b95ab9f93de967ecb61085bf1c6a0adbeabefe03
                                                                                                                            • Instruction ID: adad400c3aa59943f30d8c2084f4e165bb4769a642cced54d5781a5c0caba691
                                                                                                                            • Opcode Fuzzy Hash: 7be29ca3305264fca6338131b95ab9f93de967ecb61085bf1c6a0adbeabefe03
                                                                                                                            • Instruction Fuzzy Hash: 6112B031A2DA0A5FE798FB6C94597BA77E2FF88740F440579D00EC32C6DE29B8418749
                                                                                                                            Function 00007FF848F21FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 40d68ee08801ae4959095006e75239429bd27ea2c2cddc8ac6a272124e55a0a0
                                                                                                                            • Instruction ID: 38f653c7cbf68c2ea45dd9b0e8f6563e67abf2ae4da25d6bfc27e0f691b4c197
                                                                                                                            • Opcode Fuzzy Hash: 40d68ee08801ae4959095006e75239429bd27ea2c2cddc8ac6a272124e55a0a0
                                                                                                                            • Instruction Fuzzy Hash: F4515020A1E6C91FD786ABB86824275BFD1EF9B265F0804FBE08DC71D7CE185846C346
                                                                                                                            Function 00007FF848F21125 Relevance: .6, Instructions: 635COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f1efec912a7a6a578cf1941d000ba148719b4252fef1271028f86c1c6b8b5380
                                                                                                                            • Instruction ID: 7bede9858a73298f5163b5b12ffca125a7ffdc69811b493be267469dd1a30711
                                                                                                                            • Opcode Fuzzy Hash: f1efec912a7a6a578cf1941d000ba148719b4252fef1271028f86c1c6b8b5380
                                                                                                                            • Instruction Fuzzy Hash: 55519432D0D69A8FD741E7BCA8A51E97FB0FF46250F0401B7C149DB1D3DE29284A8759
                                                                                                                            Function 00007FF848F21150 Relevance: .6, Instructions: 611COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 70495de0a1cb34c67c545a679da95a56963548bc628af5cb2e42f01406caeb49
                                                                                                                            • Instruction ID: 47c26d5e64d254f1d3120a962f7e174a257b8ba302729d63516c2cda7d163e0d
                                                                                                                            • Opcode Fuzzy Hash: 70495de0a1cb34c67c545a679da95a56963548bc628af5cb2e42f01406caeb49
                                                                                                                            • Instruction Fuzzy Hash: 23419532D0D69A4FD742E7ACA8A61EA7FB0FF46250F4401B7C049DB1D3DE2D284A8359
                                                                                                                            Function 00007FF848F21120 Relevance: .2, Instructions: 237COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 33f87cb93e3dda2e1e8fce0c42717d6aea896d87ff831c0bf671ae0b48e1f3fc
                                                                                                                            • Instruction ID: f7d6dad41fd94e0481df16dd8021006c580103bfff7d5c9f76e5137ea557f6e3
                                                                                                                            • Opcode Fuzzy Hash: 33f87cb93e3dda2e1e8fce0c42717d6aea896d87ff831c0bf671ae0b48e1f3fc
                                                                                                                            • Instruction Fuzzy Hash: E9716030B2991A5FEB94F77C94697B966E2FF88340F540478E40EC32C6DE2DB8418748
                                                                                                                            Function 00007FF848F20BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 62657449d018719efb96cb0d75cd4b143f16e2baa25e28bc9e3be93bf00ceb9a
                                                                                                                            • Instruction ID: 7e845f16f7590de644be831db298fdfa8e08b5c53bc277737f67729222985e3d
                                                                                                                            • Opcode Fuzzy Hash: 62657449d018719efb96cb0d75cd4b143f16e2baa25e28bc9e3be93bf00ceb9a
                                                                                                                            • Instruction Fuzzy Hash: 06512531A0EACA1FE356B73898162757BE2EF87660B0900FAD48DC7297DD1C9C428356
                                                                                                                            Function 00007FF848F20528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6368b4ec99b2ca564d4ad73c19dad3cc15e52c44d51926bf0adff06fc58b9fee
                                                                                                                            • Instruction ID: b291e32f65177084a665c1d38510b40bceb790954850ed1f889f7c8209cc2e65
                                                                                                                            • Opcode Fuzzy Hash: 6368b4ec99b2ca564d4ad73c19dad3cc15e52c44d51926bf0adff06fc58b9fee
                                                                                                                            • Instruction Fuzzy Hash: 6B31D231B1D9491FE788EB6C985A779A6C2EB98751F0405BEE00EC32D7DE289C418345
                                                                                                                            Function 00007FF848F20A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b9bd6b97eae03c65ecfbd791b1d3fa4d32f882376c11e185dbf9b7d76aa4ccea
                                                                                                                            • Instruction ID: 296e9a470c3b0a4f0aebd1656fb23e59175effae6ca54e94a20376c9b783552c
                                                                                                                            • Opcode Fuzzy Hash: b9bd6b97eae03c65ecfbd791b1d3fa4d32f882376c11e185dbf9b7d76aa4ccea
                                                                                                                            • Instruction Fuzzy Hash: 5431B321F2D9595FE744B7B8A8593B966D2FF98795F040176E40DC32C3DE1C58018792
                                                                                                                            Function 00007FF848F20949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bc7c8ce9b864f471b9e40f1eef40683e971f8217e98a01a69e0e7451e3b65762
                                                                                                                            • Instruction ID: 5ec7636e9504f8398f6de7bbabd691c79f77f598971c3cbc1c506bf2d699d08b
                                                                                                                            • Opcode Fuzzy Hash: bc7c8ce9b864f471b9e40f1eef40683e971f8217e98a01a69e0e7451e3b65762
                                                                                                                            • Instruction Fuzzy Hash: D7319E31E1AA0E9FEB44FBA894596FA7BB2FF98340F500579D009D3386CE3D68418758
                                                                                                                            Function 00007FF848F22171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.3885692608.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_7ff848f20000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ceb8f684102f5f525cadbb87a2db993cb6cc41f9f8c6f87077286e06479807d1
                                                                                                                            • Instruction ID: eaa7406118582337a660426b74a35d00ccd0705b0142d77bd26f7ce46f85804a
                                                                                                                            • Opcode Fuzzy Hash: ceb8f684102f5f525cadbb87a2db993cb6cc41f9f8c6f87077286e06479807d1
                                                                                                                            • Instruction Fuzzy Hash: 91012675D0DB854FF345F7386855472BFE0EF95280F0808AFE888C61E7DA196A448357

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF848F31689 Relevance: .7, Instructions: 653COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 996e99cd1ee310eeacaf4564b7d8b21959e5a8b89a78d4eb83aad02ea27ba24d
                                                                                                                            • Instruction ID: dd1996395130c77a9d1cda9ceebd1947cfcd6b8858136a0ad7130e481816416d
                                                                                                                            • Opcode Fuzzy Hash: 996e99cd1ee310eeacaf4564b7d8b21959e5a8b89a78d4eb83aad02ea27ba24d
                                                                                                                            • Instruction Fuzzy Hash: C712A430F2DA099FE799F77888596BA77D2FF98740F44057AE40EC32C6DE28A8418745
                                                                                                                            Function 00007FF848F31FC1 Relevance: .2, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 403ac833a11efd046a41c5f186b57bb26fc0a6f5fbbae43cbd626b532422cc27
                                                                                                                            • Instruction ID: 36ed961f72a35eb860607aca022d042b7615bbbc90c248c3a36e58b4cb1e42f4
                                                                                                                            • Opcode Fuzzy Hash: 403ac833a11efd046a41c5f186b57bb26fc0a6f5fbbae43cbd626b532422cc27
                                                                                                                            • Instruction Fuzzy Hash: 83513220A1E6C95FD786AB785864275BFE1EF97256F0800FBE08DC71D7DE18484AC346
                                                                                                                            Function 00007FF848F31125 Relevance: .6, Instructions: 635COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 146f14aedef69f45468c6c9f9f38677e12df8342e7cae55251f04e81beb11dd2
                                                                                                                            • Instruction ID: f6989259b744ae23ac129ac0bf7426216a43a586ad890ce91dcd98ef280ea3d6
                                                                                                                            • Opcode Fuzzy Hash: 146f14aedef69f45468c6c9f9f38677e12df8342e7cae55251f04e81beb11dd2
                                                                                                                            • Instruction Fuzzy Hash: 04519332D0E69A9FD746FB78A8A50E97FB0FF46250F0402B7D049DB1E3DE18284A8755
                                                                                                                            Function 00007FF848F31150 Relevance: .6, Instructions: 611COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c4c06529b178c301811497027656280212c2d57867c046c9d10a94d632b0a351
                                                                                                                            • Instruction ID: 3269447afb6fde2102cf8d14934eec611cb6161ba197415f78538f836889e367
                                                                                                                            • Opcode Fuzzy Hash: c4c06529b178c301811497027656280212c2d57867c046c9d10a94d632b0a351
                                                                                                                            • Instruction Fuzzy Hash: B1419432D0EA8A9FD746F768A8A50E97FB0FF46250F0402B7D049DB1E3DE1C284A8355
                                                                                                                            Function 00007FF848F31120 Relevance: .2, Instructions: 234COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f6dd23e9386d389e7f5f87b53fb7e7f5848cc5775f905648963e3bd0d6397c18
                                                                                                                            • Instruction ID: fc681cca9265e79d548b85c052bdcee76ff37a6d0c63f0f7e2b0afd807da9f4d
                                                                                                                            • Opcode Fuzzy Hash: f6dd23e9386d389e7f5f87b53fb7e7f5848cc5775f905648963e3bd0d6397c18
                                                                                                                            • Instruction Fuzzy Hash: 86717330F2990A9FEB95F778886977A76E2FF88340F500479E40EC32C6EE2C68418754
                                                                                                                            Function 00007FF848F30BFE Relevance: .2, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b1661fa5a9a2aeed0c08855153a271f9876278bed29d8eb8a2808feb38cca9ec
                                                                                                                            • Instruction ID: 51700dbc0c0b92735cc61d4f9a9007893b5dbfd15299d7d11543f069dc28c44c
                                                                                                                            • Opcode Fuzzy Hash: b1661fa5a9a2aeed0c08855153a271f9876278bed29d8eb8a2808feb38cca9ec
                                                                                                                            • Instruction Fuzzy Hash: C5510830A1E6861FE357B73898156757BE1EF876A0B0900FBD48DC7197DD1C5C468352
                                                                                                                            Function 00007FF848F30528 Relevance: .1, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 912c9387061201c1f0df44ae0ba6097d2a4c56fd013ac24ef4c412d7530c0723
                                                                                                                            • Instruction ID: 1e156ae1b042695ae2a24280bdf93e52549e9e6acfac191928af30459a8294b3
                                                                                                                            • Opcode Fuzzy Hash: 912c9387061201c1f0df44ae0ba6097d2a4c56fd013ac24ef4c412d7530c0723
                                                                                                                            • Instruction Fuzzy Hash: C331E331F1D9491FE698FB6C985A379B6C2EB98741F1405BEE00EC32D7DE289C458345
                                                                                                                            Function 00007FF848F30A91 Relevance: .1, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2bbccbc33c896268351eb698d02a92c0259ccad0637003cdc9571aa6d1a0efc5
                                                                                                                            • Instruction ID: ec6eef5d74b4d12e4e9e3a0d1ce578942038b154e90545dcb0794b92f3cd97a1
                                                                                                                            • Opcode Fuzzy Hash: 2bbccbc33c896268351eb698d02a92c0259ccad0637003cdc9571aa6d1a0efc5
                                                                                                                            • Instruction Fuzzy Hash: 87318021F2D94A5FEB84BBB898593B9B7D2EF98795F040277E40DC32C3DE1858018792
                                                                                                                            Function 00007FF848F30949 Relevance: .1, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ed07ff46dceccbe9aa8df7908bb37b4aae88e70402972dafa9ebbd98b932e8b0
                                                                                                                            • Instruction ID: 882c1571f35c3d372fb9e7559a92d118ccea82fa82e41a8aafe2793fc27a5e97
                                                                                                                            • Opcode Fuzzy Hash: ed07ff46dceccbe9aa8df7908bb37b4aae88e70402972dafa9ebbd98b932e8b0
                                                                                                                            • Instruction Fuzzy Hash: 5F316D70E1AA0A9FEB45FBA888556FA7BF2FF98340F50057AD009D3286DE3C69418754
                                                                                                                            Function 00007FF848F32171 Relevance: .0, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000016.00000002.4486233054.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_22_2_7ff848f30000_Teams.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cdc9bbcf68fa0492beb5fe25880018bcb09b15272e1ea13e3b1a2afe8a6bc776
                                                                                                                            • Instruction ID: 05a157ac2df411168c836cf12cafe6f27f9579860ee23b14c1231e37c2619b37
                                                                                                                            • Opcode Fuzzy Hash: cdc9bbcf68fa0492beb5fe25880018bcb09b15272e1ea13e3b1a2afe8a6bc776
                                                                                                                            • Instruction Fuzzy Hash: B5012675D0DB855FE396F7781891072BFF0DF95681F0804ABE888C21D7EA286A448356